nothing interesting Zola 2026-03-08T00:00:00+00:00 https://landaire.net/atom.xml 2026-03-08T00:00:00+00:00 2026-03-08T00:00:00+00:00 Unknown https://landaire.net/reverse-engineering-with-ai/ <h2 id="getting-into-security"><a class="zola-anchor" href="#getting-into-security" aria-label="Anchor link for: getting-into-security" >#</a > Getting Into Security</h2> <p>In middle school the gateway drug known as <em>Halo 3</em> and unapproved mods shared on the game's File Share system got me interested in programming and security.</p> <p>Through these mods and YouTube tutorials I discovered the (long defunct) Xbox-Tampers forum, followed tutorials on how to edit map files in a hex editor and make very basic MSN Messenger nudge bomb applications, and met some great people through that site who I'm still friends with.</p> <p>I remember the struggles in the late 2000s and early 2010s of using <del>cracked</del> expensive copies of IDA Pro to reverse engineer bits of the Xbox 360 to better write modding tools, and begging my friends who were much better than me (like <a rel="external" href="https://x.com/carrot_c4k3">@carrot_c4k3</a>, <a rel="external" href="https://github.com/Xenomega">Xenomega</a>, and <a rel="external" href="https://x.com/Grimdoomer/">@Grimdoomer</a>) to help me reverse some Xbox 360 OS functions that I could not understand.</p> <p>I've invested a lot of time and energy to try to get better at these things over the past 18 or so years. It's not what I live and breathe anymore and I'm not insanely cracked at RE, but I feel I've gotten pretty decent at being able to throw a binary into a static analysis tool and with disassembly/pseudocode can reasonably understand what's going on in an an application.</p> <p>I've worked professional as a security engineer for the past 10 years and of course, AI "happened" and it's shaken up a lot of things, but I've still felt fairly comfortable about my skills not being terribly threatened. I've seen people try traditional static analysis tools, data flow analysis, etc., and all tooling falls short somehow, so surely this won't be too different in the near-term -- especially for such a niche skill -- right?</p> <p>I think I was wrong.</p> <h2 id="programming-w-ai"><a class="zola-anchor" href="#programming-w-ai" aria-label="Anchor link for: programming-w-ai" >#</a > Programming w/ AI</h2> <p>For non-ethical reasons I've felt pretty anti-LLM for coding. Mostly because it made me feel disconnected, dumb, and lose context. When Copilot first came out I gave it a shot but I felt like a monkey just smashing tab to have it complete some code. My subscription was soon cancelled as I felt like I was losing my edge when I didn't have AI assistance readily available.</p> <p>At my job, however, AI adoption is being driven fairly hard and I've taken to using Claude Code for some of my side projects to understand AI usage better.</p> <p>A couple years ago I created a program called <a rel="external" href="https://landaire.net/wows-toolkit/">WoWs Toolkit</a> which for about the last year went without any major updates because I just lost the steam to context switch all the time.</p> <p>It's a fairly straightforward application designed to datamine the naval warfare videogame <em>World of Warships</em>, but has some slightly complicated internals which are used to read game files, understand the match replay format, etc:</p> <p><img src="/img/ai-reverse-engineering/replay_inspector.png" alt="WoWs Toolkit" /></p> <p>I've had people in the community ask for various features over time which were mostly filed away in the "Nice To Have Eventually" folder as some require significant time investment.</p> <p>One requested feature was the ability to read the game's proprietary 3D model format to understand the armor layout of ships in the game better. I started to reverse engineer the format about a year ago, lost steam, and just kind of dropped it.</p> <p>There are various moving parts for that, some of which I'd already done:</p> <ol> <li>Reading the game's virtual filesystem (VFS) without intermediate tools.</li> <li>Understanding the game's "GameParams" database which holds meta information about ships, upgrades, each component's 3D model path, etc.</li> </ol> <p>And parts I'd not done:</p> <ol> <li>In the main VFS is a file called "assets.bin" which is a format very similar to the VFS it's contained within, but different enough to break my parser and it also had a second string table that I hadn't yet understood.</li> <li>Any research on the <code>.geometry</code>, <code>.visual</code>, or <code>.model</code> files -- all of which are required to paint a complete picture of the mesh, model positions, world transform, etc.</li> <li>Any understanding of how ship armor was represented and how it works in relation to the mesh.</li> </ol> <p>I was making some changes to the app and thought, "Screw it, why not see if Claude can figure it out?"</p> <h2 id="claude-code-binary-ninja-mcp"><a class="zola-anchor" href="#claude-code-binary-ninja-mcp" aria-label="Anchor link for: claude-code-binary-ninja-mcp" >#</a > Claude Code + Binary Ninja MCP</h2> <p>I installed one of the MCP plugins for Binary Ninja, set it up in Claude Code, and gave it the following prompt:</p> <blockquote> <p>We have the Binary Ninja MCP running with WorldOfWarships64.exe running. There's some code I'd like you to reverse engineer in order to figure out a file format. Please document findings in G:\dev\wowsunpack\MODELS.md</p> <p>We're going to be reverse engineering the WoWs .geometry file format. An example file can be found here: G:\wows_dump\res\content\gameplay\uk\ship\aircarrier\BSA013_Colossus_1945\BSA013_Colossus_1945.geometry</p> <p>It's a 3D model format that I believe is proprietary to Wargaming's BigWorld engine. There are some magic constants in the file like <code>45 4E 43 44</code> that I've used to find a possible candidate function to start at: sub_140a5a940</p> <p>This has some interesting strings such as: <code>bufferHeader-&gt;m_magicVal == EncodedBufferHeader::EncodedMagicVal</code></p> <p>There are other functions with this magic value too that I have not looked at. Please remember if you search the binary in binary ninja for this magic value, it will need to be little-endian encoded.</p> <p>If you want to write code to test, feel free to add a new command to the wowsunpack CLI and start adding code to a new models module.</p> <p>We should use winnow for our binary parsing. Do not commit any changes.</p> </blockquote> <p>Then came some early results:</p> <p><img src="/img/ai-reverse-engineering/early_analysis.png" alt="Early AI analysis" /></p> <p><em>Note: I'm using Claude Desktop here for no good reason. Normally I'd use the CLI or ACP interfaces.</em></p> <p>And after processing for a bit:</p> <p><img src="/img/ai-reverse-engineering/later_analysis.png" alt="Additional AI analysis" /></p> <p>After about an hour or two (part of that time was waiting on me to accept some action prompt) I had some 3D models extracting into a format I could load into Blender piece-by-piece:</p> <p><img src="/img/ai-reverse-engineering/first_3d_models.png" alt="First 3D Models" /></p> <p>And after more prompting, it was able to export the entire ship with its paint textures:</p> <p><img src="/img/ai-reverse-engineering/yamato_full.png" alt="Ship Model" /></p> <p>And as a side note, it did label things/create structs!</p> <p><img src="/img/ai-reverse-engineering/labeling.png" alt="Binja Labeling" /></p> <p>As far as code is concerned, it tried to do some <em>very</em> dumb things along the way. For example, in one of these files there's some XML data at some point. It generated code where after parsing a section header it would scan forward looking for the XML blob's opening tag and do the same from that position to find the closing tag. I had to curse and yell telling it, "You're screwing this up, stop taking shortcuts. Do this the the right way. No heuristics."</p> <p>Now obviously this binary has checked assertions (which I hope remain in the binary after this blog post :) ) and those make analysis overall easier. So maybe this is an extremely positive case.</p> <p>But honestly, I'm impressed with what Claude was able to do. From this very dumb prompt I was able to go from a bit of info from myself + a very surface-level parser for a <em>dependency</em> of the model loading pipeline (not even the 3D model itself!) to code which is able to export 3D models of ships with their textures and armor models, at any LOD. And it built a custom 3D model viewer into WoWs Toolkit.</p> <p>It even did some weird things I never thought of, like <a rel="external" href="https://github.com/landaire/wows-toolkit/blob/36234afb178453fc262b113cfba1931d896f9fe7/scripts/crack_mfm_hashes.py">cracking hashes</a> from a set of known strings in the binary to figure out items in the tree structure.</p> <p>I barely wrote a line of code for this and it cost maybe ~$150 in tokens:</p> <p><img src="/img/ai-reverse-engineering/armor_viewer.png" alt="Early AI analysis" /></p> <p>If you would like to read its full analysis of the 3D model format, <a rel="external" href="https://github.com/landaire/wows-toolkit/blob/36234afb178453fc262b113cfba1931d896f9fe7/docs/MODELS.md">here is its braindump</a>. And <a rel="external" href="https://github.com/landaire/wows-toolkit/tree/36234afb178453fc262b113cfba1931d896f9fe7/crates/wowsunpack/src/models">here is the code</a>.</p> <h2 id="learnings"><a class="zola-anchor" href="#learnings" aria-label="Anchor link for: learnings" >#</a > Learnings</h2> <p>While I really don't have much to share about the specific <em>thing</em> being reverse engineered, I did learn quite a bit about interacting with Claude. I'm sure people who live and breathe LLMs have their own advice, but what I found personally valuable:</p> <ul> <li>Developing custom CLIs for rapid testing/iteration. I already had a CLI for interacting with game files which Claude was able to easily extend to test its analysis of the binary.</li> <li>The existing tooling beyond just that single CLI was critical. Other CLI tools for examining related file formats or deobfuscating data were crucial. This wasn't just a "point it at Binja and profit" sort of deal to achieve the polished result.</li> <li>Watching the code as it streams in, or ensuring a mostly comprehensive review for reasons I've already mentioned like the AI trying to take shortcuts, is very important. I interrupted Claude many times when I noticed it was taking a subpar approach.</li> <li>My project is in Rust, and Rust has a strong type system. Having the AI use strong newtypes for things like identifiers helped quite a bit with ensuring bug-free code.</li> <li>My code was originally split into a couple different repos (one for the CLI tool and libraries, one for the UI). Swapping editor windows before all of this was kind of annoying, and it was even more annoying when trying to have the agents do cross-repo changes.</li> <li>If you want to sniff out AI-assisted or generated code changes, look for unicode symbols like the fancy Unicode equivalent of <code>&lt;-&gt;</code> or <code>-&gt;</code>, comments in Rust starting with <code>//!</code>, or sudden introduction of section dividers like the following:</li> </ul> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>// ---------------------------------------------------------------------------</span></span> <span class="giallo-l"><span>// Helper: parse an array at a given offset, wrapping winnow errors</span></span> <span class="giallo-l"><span>// ---------------------------------------------------------------------------</span></span></code></pre> <p>And most importantly: there were still bugs along the way. Trying to debug some of these things and prompt for fixes without knowing specifics of how the pieces were interconnected was really annoying (e.g. ship turrets were sometimes not facing to the correct default orientation). For things I really care about being done right, I think it's still worthwhile to go through the pains myself <em>first</em> and have AI assistance later if I can if for not other reason than to save time in correcting its mistakes.</p> <h2 id="mixed-feelings"><a class="zola-anchor" href="#mixed-feelings" aria-label="Anchor link for: mixed-feelings" >#</a > Mixed Feelings</h2> <p>I would consider myself a low-level person who thinks about allocations in my application, the performance cost of various approaches, and I like knowing the details of how something works. I might do the wrong thing at times for certain tradeoffs, but I like to be aware of that tradeoff existing and which decision was made. For this task though?</p> <p>I have no idea how it works.</p> <p>Before starting this project I had zero knowledge of 3D rendering, model formats, and while I did manually reverse engineer the game's general virtual filesystem format for its packed files, I got about halfway through reversing the similar virtual filesystem used for 3D model assets. I have no idea how it works beyond what I started.</p> <p>I read the code as Claude went along, pointing out things that I thought were obvious anti-patterns or incorrect... but I couldn't tell you how the different ship mesh sections are read, then paired to their transformation matrix (which is located in another file).</p> <p>That kind of sucks.</p> <p>Don't get me wrong -- I <em>am</em> happy that I'm giving people something they want and it otherwise may not have ever gotten done without Claude helping accelerate things. I'm also happy that the barrier to these types of tasks are lowered for a modest fee. There's just not "my code" and the iteration over failure to be proud of, and I want people to feel confident that the person behind the software fully understands what it's doing. Or supposed to be doing.</p> <p>Even back in the days of asking my friends for help, I was still building a relationship with them in some capacity and they could help guide me. In some cases they would even just reverse engineer things, hand me the completed package, and explain to me the bullshit they had to understand, and I'd happily give them a shoutout for helping with the project. Now it's a one-way trip with Claude and asking it to do a brain dump.</p> <p>I suppose that just like I told the AI not to take shortcuts though, I find it hard to accept <strong>&lt;Insert This Month's Best Model&gt;</strong> doing these things at the cost of building my own context, expanding my skillset to new areas, and keeping my existing skills sharp.</p> 2025-11-06T00:00:00+00:00 2025-11-06T00:00:00+00:00 Unknown https://landaire.net/a-file-format-uncracked-for-20-years/ <p><a rel="external" href="https://en.wikipedia.org/wiki/Tom_Clancy%27s_Splinter_Cell_(video_game)">Splinter Cell (2002)</a> was one of the first games I had on the original Xbox and still remains one of my favorite games of all time. The game was developed by Ubisoft using Unreal Engine 2 -- licensed from a small indie dev called Epic Games who continues to use and license its game engine technology for contemporary small-budget indie games such as <em>Fortnite</em> and <em>Halo: Campaign Evolved</em>.</p> <p>I got into programming/hacking through video games and I still enjoy data mining/exploring cut content from the few games I play nowadays. I recently randomly decided to look online for cut content from Splinter Cell and I was kind of surprised by the lack of datamined info. There isn't really much information on the topic aside from <a rel="external" href="https://hiddenpalace.org/Tom_Clancy%27s_Splinter_Cell_(Sep_13,_2002_prototype)">an OG Xbox review copy</a> of the game which contained two levels cut from the retail Xbox version and some other minor differences.</p> <p>Naturally, I decided to <em>legally backup my personal disc copy of the game</em> and got to digging into the files.</p> <p>My initial objective was to examine the format of the game data and sniff out if there's any indicators of cut content such as textures, models, interesting strings -- whatever. Some nice finds would be debug menus, voice lines, weapon concepts, or levels that are unreachable through normal game progression.</p> <p>The game's (truncated) file tree looks like this:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>.</span></span> <span class="giallo-l"><span>├── contentimage.xbx</span></span> <span class="giallo-l"><span>├── dashupdate.xbe</span></span> <span class="giallo-l"><span>├── default.xbe</span></span> <span class="giallo-l"><span>├── downloader.xbe</span></span> <span class="giallo-l"><span>├── dynamicxbox.umd</span></span> <span class="giallo-l"><span>├── LMaps</span></span> <span class="giallo-l"><span>│ ├── 000_menu</span></span> <span class="giallo-l"><span>│ │ ├── common.lin</span></span> <span class="giallo-l"><span>│ │ └── menu.lin</span></span> <span class="giallo-l"><span>│ ├── 001_Training</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_2_Training.bik</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_2_Training.lin</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_2_Training_progress.tga</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_2_Training_start.tga</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_3_Training.lin</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_3_Training_complete.tga</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_3_Training_progress.tga</span></span> <span class="giallo-l"><span>│ │ ├── common.lin</span></span> <span class="giallo-l"><span>│ │ └── French</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_2_Training_progress.tga</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_2_Training_start.tga</span></span> <span class="giallo-l"><span>│ │ ├── 0_0_3_Training_complete.tga</span></span> <span class="giallo-l"><span>│ │ └── 0_0_3_Training_progress.tga</span></span></code></pre> <p><code>.xbe</code> files are Xbox Executables, <code>.bik</code> are <a rel="external" href="https://www.radgametools.com/bnkmain.htm">Bink Video</a> files, and <code>.tga</code> are images... but <code>.lin</code> is new to me.</p> <p>In Splinter Cell the maps are divided into separate parts. So in the training mission <code>001_Training</code>, you likely have <code>0_0_2_Training.lin</code> for the first part and <code>0_0_3_Training.lin</code> for the second which gets loaded via an in-game loading sequence after advancing to some zone in the map.</p> <p>I instantly thought that <code>common.lin</code> might contain data common to both of these parts as a way to reduce file size. The Halo games for instance have a <code>shared.map</code> containing assets which are shared across most maps, and load data at a fixed address so that the file can be trivially transmuted from a binary blob to its in-memory data structures.</p> <p>Examining the <code>common.lin</code> file in a hex editor, a few things become immediately apparent:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐</span></span> <span class="giallo-l"><span>│00000000│ 04 00 00 00 0c 00 00 00 ┊ 78 9c 7b d7 97 c2 00 00 │........┊x.{.....│</span></span> <span class="giallo-l"><span>│00000010│ 06 2e 01 e1 04 00 00 00 ┊ 0c 00 00 00 78 9c 63 60 │........┊....x.c`│</span></span> <span class="giallo-l"><span>│00000020│ 90 66 00 00 00 3a 00 1c ┊ 04 00 00 00 0c 00 00 00 │.f...:..┊........│</span></span> <span class="giallo-l"><span>│00000030│ 78 9c 73 48 67 60 00 00 ┊ 02 39 00 a8 04 00 00 00 │x.sHg`..┊.9......│</span></span> <span class="giallo-l"><span>│00000040│ 0c 00 00 00 78 9c b3 e0 ┊ 65 60 00 00 01 0b 00 46 │....x...┊e`.....F│</span></span> <span class="giallo-l"><span>└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘</span></span></code></pre> <ul> <li>Data between <code>0x0..0x4</code> and <code>0x4..0x8</code> are little-endian 32-bit integers: <code>0x00000004</code> and <code>0x0000000C</code>.</li> <li>At offset <code>0x8</code> is what appears to be a zlib-compressed chunk of data -- denoted by the 'x' in the ASCII view and <code>0x78 0x9c</code> in the hex view.</li> <li>There's another sequence of this at offset <code>0x14</code>, which happens to be <code>0xC</code> bytes past the offset of the zlib data (<code>0x8</code>), and another at <code>0x28</code>.</li> </ul> <p>Presumably the format here is <code>{decompressed_data_len, compressed_data_len, zlib_block[compressed_data_len]}</code> repeated.</p> <p>So far so good.</p> <p>I wrote a quick tool to decompress the archive and without a hitch ended up with a 64k file containing 4 <code>u32</code>s prefixing it. Since these 4 are in their own dedicated zlib-compressed chunks I consider to be separate from the main data. I later reverse engineered and identified how they are used:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>uncompressed_data_size: 0x648EEE</span></span> <span class="giallo-l"><span>texture_cache_size? - later used when calling D3DDevice_CreateTexture2: 0x1B0000</span></span> <span class="giallo-l"><span>vertex_buffer_size? - ditto, D3DDevice_CreateVertexBuffer2: 0x6740</span></span> <span class="giallo-l"><span>index_buffer_size? - ditto, XGSetIndexBufferHeader: 0xD38</span></span></code></pre> <p>And this is what the main data section's first 0x100 bytes look like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐</span></span> <span class="giallo-l"><span>│00000000│ 5c 58 9e 13 00 a3 c5 e3 ┊ 9f b4 92 9b 13 5c 58 9e │\X......┊.....\X.│</span></span> <span class="giallo-l"><span>│00000010│ 13 01 00 00 00 04 2a d6 ┊ fe 7e 37 13 4d 61 70 73 │......*.┊.~7.Maps│</span></span> <span class="giallo-l"><span>│00000020│ 5c 6d 65 6e 75 5c 6d 65 ┊ 6e 75 2e 75 6e 72 00 00 │\menu\me┊nu.unr..│</span></span> <span class="giallo-l"><span>│00000030│ 00 00 00 ee de 00 00 00 ┊ 00 00 00 16 4d 61 70 73 │........┊....Maps│</span></span> <span class="giallo-l"><span>│00000040│ 5c 31 5f 31 5f 30 54 62 ┊ 69 6c 69 73 69 2e 75 6e │\1_1_0Tb┊ilisi.un│</span></span> <span class="giallo-l"><span>│00000050│ 72 00 f0 de 00 00 6d c9 ┊ 17 00 00 00 00 00 16 4d │r.....m.┊.......M│</span></span> <span class="giallo-l"><span>│00000060│ 61 70 73 5c 31 5f 31 5f ┊ 31 54 62 69 6c 69 73 69 │aps\1_1_┊1Tbilisi│</span></span> <span class="giallo-l"><span>│00000070│ 2e 75 6e 72 00 60 a8 18 ┊ 00 98 34 21 00 00 00 00 │.unr.`..┊..4!....│</span></span> <span class="giallo-l"><span>│00000080│ 00 16 4d 61 70 73 5c 31 ┊ 5f 31 5f 32 54 62 69 6c │..Maps\1┊_1_2Tbil│</span></span> <span class="giallo-l"><span>│00000090│ 69 73 69 2e 75 6e 72 00 ┊ 00 dd 39 00 89 63 19 00 │isi.unr.┊..9..c..│</span></span> <span class="giallo-l"><span>│000000a0│ 00 00 00 00 18 4d 61 70 ┊ 73 5c 30 5f 30 5f 32 5f │.....Map┊s\0_0_2_│</span></span> <span class="giallo-l"><span>│000000b0│ 54 72 61 69 6e 69 6e 67 ┊ 2e 75 6e 72 00 90 40 53 │Training┊.unr..@S│</span></span> <span class="giallo-l"><span>│000000c0│ 00 0f 9f 0c 00 00 00 00 ┊ 00 18 4d 61 70 73 5c 30 │........┊..Maps\0│</span></span> <span class="giallo-l"><span>│000000d0│ 5f 30 5f 33 5f 54 72 61 ┊ 69 6e 69 6e 67 2e 75 6e │_0_3_Tra┊ining.un│</span></span> <span class="giallo-l"><span>│000000e0│ 72 00 a0 df 5f 00 48 86 ┊ 11 00 00 00 00 00 1e 4d │r..._.H.┊.......M│</span></span> <span class="giallo-l"><span>│000000f0│ 61 70 73 5c 31 5f 32 5f ┊ 31 44 65 66 65 6e 73 65 │aps\1_2_┊1Defense│</span></span> <span class="giallo-l"><span>└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘</span></span></code></pre> <p>And at what appears to be the end of the file table:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐</span></span> <span class="giallo-l"><span>│0002c580│ 79 6e 63 68 5c 69 6e 74 ┊ 5c 55 73 61 53 6f 6c 64 │ynch\int┊\UsaSold│</span></span> <span class="giallo-l"><span>│0002c590│ 69 65 72 5c 55 53 4f 55 ┊ 4e 43 5f 33 2e 62 69 6e │ier\USOU┊NC_3.bin│</span></span> <span class="giallo-l"><span>│0002c5a0│ 00 40 8d 9b 13 74 05 00 ┊ 00 00 00 00 00 c1 83 2a │.@...t..┊.......*│</span></span> <span class="giallo-l"><span>│0002c5b0│ 9e 64 00 11 00 01 00 00 ┊ 00 10 0e 00 00 88 00 00 │.d......┊........│</span></span> <span class="giallo-l"><span>│0002c5c0│ 00 fa 0f 00 00 f3 7a 11 ┊ 00 4e 00 00 00 3e 78 11 │......z.┊.N...&gt;x.│</span></span> <span class="giallo-l"><span>│0002c5d0│ 00 de ad f0 0f 42 01 9c ┊ 90 92 8f 96 93 9e 8b 96 │.....B..┊........│</span></span> <span class="giallo-l"><span>│0002c5e0│ 90 91 9a 9c 97 9a 93 90 ┊ 91 df af bc ba bc b7 ba │........┊........│</span></span> <span class="giallo-l"><span>│0002c5f0│ b3 b0 b1 df a6 c5 a3 ba ┊ bc b7 ba b3 b0 b1 a3 ac │........┊........│</span></span> <span class="giallo-l"><span>│0002c600│ a6 ac ab ba b2 a3 df ce ┊ cf d0 cd c9 d0 cf cd df │........┊........│</span></span> <span class="giallo-l"><span>│0002c610│ cd ce c5 cf cd c5 ce cb ┊ ff 00 00 00 00 00 00 00 │........┊........│</span></span> <span class="giallo-l"><span>│0002c620│ 00 00 00 00 00 00 00 00 ┊ 00 01 00 00 00 fa 0f 00 │........┊........│</span></span> <span class="giallo-l"><span>│0002c630│ 00 10 0e 00 00 05 4e 6f ┊ 6e 65 00 10 04 07 04 06 │......No┊ne......│</span></span> <span class="giallo-l"><span>│0002c640│ 43 6f 6c 6f 72 00 10 04 ┊ 07 04 0d 49 6e 74 65 72 │Color...┊...Inter│</span></span> <span class="giallo-l"><span>│0002c650│ 6e 61 6c 54 69 6d 65 00 ┊ 10 00 07 00 07 45 6e 67 │nalTime.┊.....Eng│</span></span> <span class="giallo-l"><span>│0002c660│ 69 6e 65 00 10 00 07 04 ┊ 05 43 6f 72 65 00 10 00 │ine.....┊.Core...│</span></span> <span class="giallo-l"><span>│0002c670│ 07 04 07 53 79 73 74 65 ┊ 6d 00 10 00 07 04 06 55 │...Syste┊m......U│</span></span> <span class="giallo-l"><span>└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘</span></span></code></pre> <p>Just to save some blog space on my trial and error process here, I'm going to drop some of the resources I found which discuss this format:</p> <ul> <li><a rel="external" href="https://oldunreal.com/phpBB3/viewtopic.php?t=4885">https://oldunreal.com/phpBB3/viewtopic.php?t=4885</a></li> <li><a rel="external" href="https://zenhax.com/viewtopic.php@t=1049.html">https://zenhax.com/viewtopic.php@t=1049.html</a></li> <li><a rel="external" href="https://reshax.com/topic/1421-ubisoft-unreal-engine-2-open-season-2006-video-game-umd-also-lin-xbox-xbox-360-pc-and-liv-latter-being-exclusive-to-xbox-360/">https://reshax.com/topic/1421-ubisoft-unreal-engine-2-open-season-2006-video-game-umd-also-lin-xbox-xbox-360-pc-and-liv-latter-being-exclusive-to-xbox-360/</a></li> <li><a rel="external" href="https://www.unrealarchive.org/wikis/unreal-wiki/Legacy:UMOD/File_Format.html">https://www.unrealarchive.org/wikis/unreal-wiki/Legacy:UMOD/File_Format.html</a></li> </ul> <p>The last two posts in particular had structure info that was helpful in figuring out the packed int format (think UTF-8 and its variable-length encoding) and a couple unknown vars.</p> <p>What I gathered from all of these posts was that over time, nobody's really been able to figure out this format's quirks sufficiently to unpack the data. Everyone seems to think that some kind of VFS is created and the data gets mapped at a specific address and then read. Which may be true for some titles or consoles, but is not really the case for this one.</p> <p><strong>My objective has now changed:</strong> I now want to reverse engineer this file format and be able to dump individual files from this filesystem. Then I can achieve my core goal of looking for cut content. Then I can maybe play the game.</p> <h2 id="tl-dr-of-the-general-lin-structure"><a class="zola-anchor" href="#tl-dr-of-the-general-lin-structure" aria-label="Anchor link for: tl-dr-of-the-general-lin-structure" >#</a > tl;dr of the general <code>.lin</code> structure</h2> <p><code>common.lin</code> has a different layout from the other <code>.lin</code> files that looks roughly like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/* ==== Standard Data ==== */</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// These three, from research + reverse engineering, should not be considered</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// as part of the &quot;whole&quot; file</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">u32</span><span> maybe_load_address</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // 5C 58 9E 13 (0x139e585c) in common.lin</span></span> <span class="giallo-l"><span>compressed_int name_length</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // 0 in common.lin</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">char</span><span> name</span><span style="color: #89DDFF;">[</span><span>name_length</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/* ==== common.lin-specific file header ==== */</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">u32</span><span> magic</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // 0x9fe3c5a3 in little endian, i.e. A3 C5 E3 9F</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">u32</span><span> unk_address</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // B4 92 9B 13, (0x139b92b4) suspiciously similar to maybe_load_address.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // unk_address - load_address gives you the start of the file</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // table, relative to the magic?</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">u32</span><span> load_address2</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // 5C 58 9E 13 same as maybe_load_address</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">u8</span><span> unknown</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;">];</span><span style="color: #464B5D;font-style: italic;"> // 01 00 00 00 04 2A D6 FE</span></span> <span class="giallo-l"><span>compressed_int file_entry_count</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span> file_entries</span><span style="color: #89DDFF;">[</span><span>file_entry_count</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">struct</span><span style="color: #FFCB6B;"> FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> compressed_int name_len</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> char</span><span> name</span><span style="color: #89DDFF;">[</span><span>name_len</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> u32</span><span> offset</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> u32</span><span> len</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> u32</span><span> unk</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>Then immediately following the <code>FileEntry</code> table are 54 Unreal Engine Package files in sequence (identified via their <code>0x9E2A83C1</code> magic -- these are also referred to as <strong>Linker</strong> files) that presumably map to the files in the file table.</p> <p>The map-specific files like <code>menu.lin</code> and <code>0_0_2_Training.lin</code> do not have the file table, but they do have the first 3 fields (and a non-null string like "menu\x0" for the name field) then a sequence of Linker files.</p> <p>But the difficulty with parsing this data starts with the file table.</p> <h2 id="problems"><a class="zola-anchor" href="#problems" aria-label="Anchor link for: problems" >#</a > Problems</h2> <h3 id="file-table"><a class="zola-anchor" href="#file-table" aria-label="Anchor link for: file-table" >#</a > File Table</h3> <p>The file table is a very simple format that I'm able to parse with my program:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\menu\\menu</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xDEEE</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\1_1_0Tbilisi</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xDEF0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x17C96D</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\1_1_1Tbilisi</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x18A860</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x213498</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\1_1_2Tbilisi</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x39DD00</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x196389</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\0_0_2_Training</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x534090</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xC9F0F</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\0_0_3_Training</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x5FDFA0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x118648</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\1_2_1DefenseMinistry</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x7165F0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x249AF6</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Maps</span><span>\\1_2_2DefenseMinistry</span><span style="color: #89DDFF;">.</span><span>unr</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x9600F0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x20F662</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span> <span class="giallo-l"><span style="color: #89DDFF;">&lt;</span><span>snip</span><span style="color: #89DDFF;">&gt;</span></span></code></pre> <p>At first glance the files seem to be laid out sequentially, aligned to a pointer-width boundary. Except, notice that last file's offset... <code>0x9600F0</code>. This is way outside of the range of my <code>0x648EEE</code>-length file, and this file list contains 3,582 files! Not 54 as expected from the count of Unreal Package magics!</p> <p>The mismatch file count could be explained by not every file in this container being an Unreal Package, but the offsets so far are <em>extremely</em> wrong.</p> <h3 id="file-reading"><a class="zola-anchor" href="#file-reading" aria-label="Anchor link for: file-reading" >#</a > File Reading</h3> <p>After debugging the game in the Original Xbox emulator <a rel="external" href="https://xemu.app/">xemu</a>, I was able to find the routine which opens the file, as well as the function which reads and decompresses data.</p> <details class="collapse-section my-4"> <summary>Function Identification Methodology</summary> <div class="collapse-content"> If anyone's curious on the methodology: I identified <code>NtCreateFile</code>, set a breakpoint, recorded the <code>HANDLE</code> returned for the file path I cared about, then set a breakpoint at <code>NtReadFile</code> and broke when the input <code>HANDLE</code> matched the expected value. The call stack/stepping from here helped identify interesting callers. Alternatively, the string "<code>unknown compression method</code>" is useful in finding the decompression routine <code>inflateInit2</code>.</p> <p>This is not super relevant to the blog post which is why it's in this little collapse section. I hate reading posts like this that skip over a detail I'm interested in like it's just common knowledge how something is done, so I'm trying to avoid doing that :) </div> </details> <p><em>Note: Click images to see in higher res</em>.</p> <p><a href="/img/splinter-cell/compressed_fn_hlil.png"><img src="/img/splinter-cell/compressed_fn_hlil.png" alt="Compressed read function high-level IL" /></a></p> <p>This function basically checks the requested read size against how much data it has precached in its decompressed data buffer. It will then copy as much data as it can from its precached buffer to the output buffer, then read the next block of compressed zlib data into its precache buffer if the previous one was exhausted. Repeat this process until the request is satisfied.</p> <p>Identifying this function was pretty important for my reverse engineering process. I could now set breakpoints on the code which copies data to the output buffer and see who's calling this function when data is read from offsets I care about.</p> <p>I stepped through this code, set Memory Read breakpoints on data I didn't yet understand, and noted something interesting early on!</p> <p>Those "addresses" from the header (<code>0x139e585c</code>)? Those are actually passed to what I can only guess is a <code>Seek</code> routine which updates the <code>position</code> property of the file reader, which then makes an indirect call to another function that <strong>literally does nothing</strong>.</p> <p>The entire content of the function is:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>retn 4</span></span></code></pre> <p>That's it.</p> <p>Then the reads just... continue from their last position? Since the function is an indirect call, I can only assume that I was looking at some composed C++ object where the outer class object updates its own <code>position</code> in <code>Seek()</code> and then calls its underlying file reader's <code>Seek()</code>... which is a no-op?</p> <p>After setting Memory Read breakpoints on the object's <code>position</code> field, I noticed it's only ever used in their file reader equivalent of <code>FTell()</code>. It doesn't affect where data is actually being read from at all.</p> <p>The reason for the <code>Seek()</code> being a no-op is likely because the underlying file reader is reading directly from the compressed buffer, which reads in <code>0x4000</code>-byte chunks. Since you cannot reasonably map an uncompressed data offset to a compressed offset the format must be designed to ignore seeks and just read data linearly.</p> <p>...the <code>.lin</code> extension makes a lot more sense.</p> <p>💡 In order to read these files, you have to assume that you cannot seek forward/backward. Easy enough.</p> <h3 id="load-order-matters"><a class="zola-anchor" href="#load-order-matters" aria-label="Anchor link for: load-order-matters" >#</a > Load Order Matters</h3> <p>We still have a problem that has not been addressed: why does the file table have a large count of files with bad offsets?</p> <p>I continued to use breakpoints inside of the file read function to trace where interesting bits of data were read and forced a break when the data immediately following the file table was read. Eventually I traced the file read operation back far enough to find this function, <code>StaticLoadObject</code>:</p> <p><a href="/img/splinter-cell/static_load_object.png"><img src="/img/splinter-cell/static_load_object.png" alt="StaticLoadObject implementation" /></a></p> <p>This function calls <code>ResolveName</code> which I was able to log the arguments to via a debugger breakpoint script, which told me the <code>InName</code> was <code>ini:Engine.Engine.GameEngine</code>:</p> <p><a href="/img/splinter-cell/resolve_name.png"><img src="/img/splinter-cell/resolve_name.png" alt="ResolveName implementation" /></a></p> <p>This <code>ini:Engine.Engine.GameEngine</code> name gets parsed as:</p> <ul> <li><code>ini:</code> &lt;- resolve the name from the game's INI files</li> <li><code>Engine.Engine</code> &lt;- the INI table to read from</li> <li><code>GameEngine</code> &lt;- the key from the table to read</li> </ul> <p>If I look in <code>UW.ini</code> included with the game, this table is defined as:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="ini"><span class="giallo-l"><span style="color: #89DDFF;">[Engine.Engine]</span></span> <span class="giallo-l"><span style="color: #F07178;">RenderDevice</span><span style="color: #89DDFF;">=</span><span>D3DDrv.D3DRenderDevice</span></span> <span class="giallo-l"><span style="color: #F07178;">GameRenderDevice</span><span style="color: #89DDFF;">=</span><span>D3DDrv.D3DRenderDevice</span></span> <span class="giallo-l"><span style="color: #F07178;">AudioDevice</span><span style="color: #89DDFF;">=</span><span>XboxAudio.XboxAudioSubsystem</span></span> <span class="giallo-l"><span style="color: #F07178;">Console</span><span style="color: #89DDFF;">=</span><span>Engine.Console</span></span> <span class="giallo-l"><span style="color: #F07178;">DefaultPlayerMenu</span><span style="color: #89DDFF;">=</span><span>UPreview.UPreviewRootWindow</span></span> <span class="giallo-l"><span style="color: #F07178;">Language</span><span style="color: #89DDFF;">=</span><span>int</span></span> <span class="giallo-l"><span style="color: #F07178;">GameEngine</span><span style="color: #89DDFF;">=</span><span>Engine.GameEngine</span></span> <span class="giallo-l"><span style="color: #F07178;">EditorEngine</span><span style="color: #89DDFF;">=</span><span>Editor.EditorEngine</span></span> <span class="giallo-l"><span style="color: #F07178;">WindowedRenderDevice</span><span style="color: #89DDFF;">=</span><span>D3DDrv.D3DRenderDevice</span></span> <span class="giallo-l"><span style="color: #F07178;">DefaultGame</span><span style="color: #89DDFF;">=</span><span>Echelon.EchelonGameInfo</span></span> <span class="giallo-l"><span style="color: #F07178;">DefaultServerGame</span><span style="color: #89DDFF;">=</span><span>WarfareGame.WarfareTeamGame</span></span> <span class="giallo-l"><span style="color: #F07178;">ViewportManager</span><span style="color: #89DDFF;">=</span><span>XboxDrv.XboxClient</span></span> <span class="giallo-l"><span style="color: #F07178;">Render</span><span style="color: #89DDFF;">=</span><span>Render.Render</span></span> <span class="giallo-l"><span style="color: #F07178;">Input</span><span style="color: #89DDFF;">=</span><span>Engine.Input</span></span> <span class="giallo-l"><span style="color: #F07178;">Canvas</span><span style="color: #89DDFF;">=</span><span>Echelon.ECanvas</span></span> <span class="giallo-l"><span style="color: #F07178;">Editor3DRenderDevice</span><span style="color: #89DDFF;">=</span><span>D3DDrv.D3DRenderDevice</span></span></code></pre> <p>So the resulting value returned from this function is <code>Engine.GameEngine</code>, which matches what this function resolves.</p> <p>This is then used to resolve the <strong>package</strong> <code>Engine</code> and its <strong>exported object</strong> <code>GameEngine</code>. The game binary looks for the file <code>Engine</code> in its available sources (partial matching strategy), which includes searching against the LIN file table, and then resolves that name as <code>System\Engine.u</code>. My tool that reads the file table confirms that this is declared in the LIN file:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #FFCB6B;">FileEntry</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> System</span><span>\\</span><span style="color: #FFCB6B;">Engine</span><span style="color: #89DDFF;">.</span><span>u</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x13482120</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> len</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x127DA1</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">},</span></span></code></pre> <p>Except the file start offset + len don't make sense. If I assume the <code>Engine.u</code> file is the first file immediately following the file table, advancing forward by this length appears to land right in the middle of some string?</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐</span></span> <span class="giallo-l"><span>│00154330│ 09 45 4d 65 73 68 53 46 ┊ 58 00 10 00 07 00 1b 43 │.EMeshSF┊X......C│</span></span> <span class="giallo-l"><span>│00154340│ 68 61 6e 64 65 72 6c 65 ┊ 72 43 72 79 73 74 61 6c │handerle┊rCrystal│</span></span> <span class="giallo-l"><span>│00154350│ 50 61 72 74 69 63 75 6c ┊ 65 00 10 00 07 00 12 46 │Particul┊e......F│</span></span> <span class="giallo-l"><span>└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘</span></span></code></pre> <p>I'll save some time and just say that I did not identify the wrong file. The lengths just don't matter, and for all intents and purposes are wrong. The reader in the game engine must just read the data in-order using its self-description in its own header?</p> <p>The Unreal Engine Package/Linker file format has been <a rel="external" href="https://eliotvu.com/page/unreal-package-file-format">well documented</a> and does include some sizes in its header. The packages contain about what you'd expect of some object-oriented programming (OOP) script/data format.</p> <p>It has <em>exported</em> objects which are named instances of some OOP type and has properties and data. Or the object can be a class/struct definition. The exports may rely on types exported from other packages which are declared as <em>imports</em>. Both of these have names or string data associated with them which are defined in the <em>name</em> table.</p> <p>I mapped the existing documentation to the following Rust struct:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #F78C6C;">pub</span><span style="color: #C792EA;"> struct</span><span style="color: #FFCB6B;"> PackageHeader</span><span style="color: #89DDFF;">&lt;&#39;</span><span style="color: #FFCB6B;">i</span><span style="color: #89DDFF;">&gt; {</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> version</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> flags</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> name_count</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> name_offset</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> export_count</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> export_offset</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> import_count</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> import_offset</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Note: this is not in the above documented description</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Ditto.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Not shown: compressed int for length of this data at this position</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> unknown_data</span><span style="color: #89DDFF;">: &amp;&#39;</span><span style="color: #FFCB6B;">i</span><span style="color: #89DDFF;"> [</span><span style="color: #FFCB6B;">u8</span><span style="color: #89DDFF;">],</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> guid_a</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> guid_b</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> guid_c</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> guid_d</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Not shown: compressed int for length of this data at this position.</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub</span><span> generations</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Vec</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">GenerationInfo</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>And of course, the offsets in this format are also unusable (e.g. the <code>name_offset</code> lands you <em>after</em> the start of the name table). But the counts look good:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #FFCB6B;">PackageHeader</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> version</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x110064</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> flags</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x1</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> name_count</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xE10</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> name_offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x88</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> export_count</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xFFA</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> export_offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x117AF3</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> import_count</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x4E</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> import_offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x11783E</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unk</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xFF0ADDE</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> unknown_data</span><span style="color: #89DDFF;">: [</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ...</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ]</span></span> <span class="giallo-l"><span> guid_a</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> guid_b</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> guid_c</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> guid_d</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> generations</span><span style="color: #89DDFF;">: [</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> GenerationInfo</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> export_count</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xFFA</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> name_count</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xE10</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> },</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ],</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>Now with my tool updated to read these tables -- parsing by assuming that they immediately follow this header and each other -- I have imports that look like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #FFCB6B;">Package Core</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Core</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Import</span><span style="color: #89DDFF;"> {</span><span> class_package</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span> class_name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> B64</span><span style="color: #89DDFF;">,</span><span> package_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">,</span><span> object_name</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span> object</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> None</span><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">Class Core</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Object</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Import</span><span style="color: #89DDFF;"> {</span><span> class_package</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span> class_name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> B62</span><span style="color: #89DDFF;">,</span><span> package_index</span><span style="color: #89DDFF;">:</span><span> FFFFFFFF</span><span style="color: #89DDFF;">,</span><span> object_name</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 13</span><span style="color: #89DDFF;">,</span><span> object</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> None</span><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">Class Core</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Function</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Import</span><span style="color: #89DDFF;"> {</span><span> class_package</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span> class_name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> B62</span><span style="color: #89DDFF;">,</span><span> package_index</span><span style="color: #89DDFF;">:</span><span> FFFFFFFF</span><span style="color: #89DDFF;">,</span><span> object_name</span><span style="color: #89DDFF;">:</span><span> BBD</span><span style="color: #89DDFF;">,</span><span> object</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> None</span><span style="color: #89DDFF;"> }</span></span></code></pre> <p>And exports:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #FFCB6B;">Class Actor</span></span> <span class="giallo-l"><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x0</span><span style="color: #89DDFF;">)</span><span style="color: #FFCB6B;"> ObjectExport</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> class_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> super_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xFFFFFFFE</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> package_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> object_name</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x206</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> object_flags</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x40F0004</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> serial_size</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x3A8</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> serial_offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xF719</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">Class Pawn</span></span> <span class="giallo-l"><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x1</span><span style="color: #89DDFF;">)</span><span style="color: #FFCB6B;"> ObjectExport</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> class_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> super_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x1</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> package_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> object_name</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x1A</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> object_flags</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x40F0004</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> serial_size</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x281</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> serial_offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xFAC1</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;">...</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #FFCB6B;">Class GameEngine</span></span> <span class="giallo-l"><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0xEFB</span><span style="color: #89DDFF;">)</span><span style="color: #FFCB6B;"> ObjectExport</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> class_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> super_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x1C8</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> package_index</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x0</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> object_name</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x1D8</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> object_flags</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x40F0004</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> serial_size</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0x5B</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> serial_offset</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0xC50DB</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>So the <code>GameEngine</code> object has export index <code>0xEFB</code> and its data is supposedly located at offset <code>0xC50DB</code> relative to the package start. You guessed it though, its offset is wrong!</p> <h3 id="export-data"><a class="zola-anchor" href="#export-data" aria-label="Anchor link for: export-data" >#</a > Export Data</h3> <p>Up to this point we know:</p> <ol> <li>You cannot seek in the file reader.</li> <li>The offsets do not map cleanly to the on-disk representation and aren't really used other than for position tracking.</li> <li>The sizes (at least in the file table, and I soon realized in the export data) are incorrect.</li> <li>We know <code>GameEngine</code> is the first object requested by the C++ side of the game and is export index <code>0xEFB</code> in the <code>Engine</code> package. It may not be the first object actually <em>parsed</em>, but it's the first object requested.</li> </ol> <p>Now, to achieve my goal of dumping these files I attempted to simply sum the size of these exports to figure out the end offset of the file... but trying a combination of that calculated size + any of the <code>{end_of_export_table, start_of_file}</code> offsets landed me in weird places with other Linker files in-between.</p> <p>By referencing <a rel="external" href="https://github.com/EliotVU/Unreal-Library">Unreal-Library</a> to help fill in some of the blanks, I observed the following high-level parsing logic in the game engine:</p> <ol> <li>An exported object is requested by the game. If it isn't loaded already, the export is lazy loaded.</li> <li>Lazy loading requires resolving the <code>super</code> type's object. For some things this is the <code>Class</code> or <code>Struct</code> base types, for other things this is a different parent class which will eventually have <code>Class</code> as its parent type.</li> <li>Exports have properties which can be of varying size. As you read an export, you deserialize its data as described by its <code>serial_size</code> and <code>serial_offset</code> fields, and however the types exported from the C++ side defines the deserialization routine.</li> </ol> <p>Which visually results in something like the following flow when resolving imports/exports:</p> <p><img src="/img/splinter-cell/export_load_flow_diagram.svg" alt="Export parsing flow" /></p> <p>To give a concrete example, imagine that <code>GameEngine</code> has the following class hierarchy:</p> <p><code>GameEngine -&gt; Engine -&gt; Subsystem -&gt; Class</code></p> <p>Also imagine that <code>GameEngine</code> is the very first object ever parsed -- nothing else has been loaded yet. Requesting to load <code>GameEngine</code> from the <code>Engine.u</code> package will trigger the following sequence of events:</p> <ol> <li><code>Engine.u</code> header read/parse (since no package has been created yet)</li> <li>Lookup <code>Engine</code>'s <code>GameEngine</code> export. It's not yet parsed, so we need to construct this object by constructing/deserializing it.</li> <li><code>GameEngine</code>'s parent class is <code>Engine.Engine</code>. It has not yet been parsed, so we need to deserialize it <strong>before</strong> <code>GameEngine</code>.</li> <li><code>Core.Subsystem</code> is <code>Engine.Engine</code>'s parent class. Same thing.</li> <li><code>Core.u</code> header read/parse (since <code>Core</code> hasn't been loaded yet)</li> <li><code>Core.Class</code> is <code>Core.Subsystem</code>'s parent class (and the base class). Construct this object.</li> <li><code>Core.Class</code> property deserialization. We can now continue with <code>Core.Subsystem</code> creation.</li> <li><code>Core.Subsystem</code> property deserialization...</li> <li><code>Engine.Engine</code> property deserialization..</li> <li><code>Engine.GameEngine</code> property deserialization...</li> <li>We can now return the fully constructed <code>Engine.GameEngine</code>.</li> </ol> <p>I believe this can result in export data that is interleaved, unfortunately. For the above scenario the data may be on disk like the following diagram. <strong>Note:</strong> for space/simplicity I've omitted <code>Core.Class</code>, as well as the potential for the <em>properties themselves</em> to trigger deserializing of other exports.</p> <img src="/img/splinter-cell/interleaved-data-layout.svg" alt="Interleaved data layout diagram showing how GameEngine, Engine, and Core.Subsystem export data is interleaved on disk" class="mx-auto block" /> <p>And now if you imagine that there's a <em>second</em> object which also extends from <code>Engine</code> loaded after <code>GameEngine</code>, then their common the super class <code>Engine</code> has already been parsed and its information is already in-memory. i.e. if you serialize two objects of the same exact type, the first object might have all the data for its parent classes interleaved with <em>its own</em> export data and the second object only contains its own property data.</p> <p>Unfortunately, this means that to read these files statically (even for just static recompilation) you need to have full knowledge of how each C++-implemented type is parsed in order to parse all exports and their properties. Additionally, reading one export may trigger resolving of imports in your own Linker object, which in turn trigger deserialization of exports in another Linker object.</p> <p>This results in the export data's size not necessarily being <em>wrong</em> per se, but not super usable without actually doing full parsing. If other exports are deserialized in the middle of deserializing an export, they will seek around and restore the original position. When the export is done deserializing it subtracts the post-deserialization <code>position</code> of the file reader from the saved pre-deserialization <code>position</code> and asserts that it equals the export's expected length. It's misleading though as you cannot simply read <code>SerialSize</code> bytes from its offset.</p> <p><em>Note: I'm not 100% confident in the data being interleaved vs just sequential. Through observing seek/read operations for various exports, I do see seeks going to a wildly different offset in the middle of deserializing an export, then another export deserializing, then seeking back to the original export and continuing to deserialize it again This is a PITA to debug though</em>.</p> <h3 id="why"><a class="zola-anchor" href="#why" aria-label="Anchor link for: why" >#</a > Why??????</h3> <p>I imagine there's a very good reason for packaging data this way. It's best to consider the constraints of the time:</p> <ol> <li>The game is being shipped on a physical disc.</li> <li>The Xbox has 64MB of RAM shared between the CPU and GPU, with some portion of that being dedicated to the OS.</li> <li>The CPU wasn't terribly slow for the time, but wasting cycles would have been noticed.</li> </ol> <p>The <code>.lin</code> format mitigates these issues with:</p> <ol> <li>Compressing data means you save space on the disc... If you conveniently ignore the fact that <code>common.lin</code> is duplicated in each map's directory and is the same for every map I tested, which kinda negates part of this.</li> <li>Streaming data in from the file instead of decompressing the whole thing at once saves on overall memory pressure during the data loading phase.</li> <li>Laying out the file in a byte-for-byte exact read order increases I/O speeds by not having to seek around the physical media, and ensures that you don't need magic to translate an uncompressed offset to a compressed one in a performant manner.</li> </ol> <h2 id="logging-load-order-for-static-recompilation"><a class="zola-anchor" href="#logging-load-order-for-static-recompilation" aria-label="Anchor link for: logging-load-order-for-static-recompilation" >#</a > Logging Load Order for Static Recompilation</h2> <p>I really, really wanted to avoid doing any runtime dumping that requires playing the game in an emulator or physical console. It doesn't scale well to other games and is generally less flexible. But doing runtime observations are extremely useful in making sense of the format, so I went ahead and added some logging to get an idea of the file read order from the compressed archive when booting the game:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>..\System\Engine.u</span></span> <span class="giallo-l"><span>..\System\Core.u</span></span> <span class="giallo-l"><span>..\System\Echelon.u</span></span> <span class="giallo-l"><span>..\Textures\HUD.utx</span></span> <span class="giallo-l"><span>..\Sounds\FisherFoley.uax</span></span> <span class="giallo-l"><span>..\Sounds\CommonMusic.uax</span></span> <span class="giallo-l"><span>..\System\EchelonEffect.u</span></span> <span class="giallo-l"><span>..\Textures\ETexSFX.utx</span></span> <span class="giallo-l"><span>..\Textures\2-1_CIA_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\generic_shaders.utx</span></span> <span class="giallo-l"><span>..\Textures\LightGenTex.utx</span></span> <span class="giallo-l"><span>..\Textures\5_1_PresidentialPalace_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\1_2_Def_Ministry_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\EGO_Tex.utx</span></span> <span class="giallo-l"><span>..\Textures\ETexIngredient.utx</span></span> <span class="giallo-l"><span>..\Textures\1-1_TBilisi_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\1_3_CaspianOilRefinery_TEX.utx</span></span> <span class="giallo-l"><span>..\StaticMeshes\EMeshSFX.usx</span></span> <span class="giallo-l"><span>..\StaticMeshes\EGO_OBJ.usx</span></span> <span class="giallo-l"><span>..\Textures\ETexCharacter.utx</span></span> <span class="giallo-l"><span>..\Textures\4_3_Chinese_Embassy_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\4_3_0_Chinese_Embassy_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\4_3_2_Chinese_Embassy_tex.utx</span></span> <span class="giallo-l"><span>..\Sounds\water.uax</span></span> <span class="giallo-l"><span>..\Sounds\DestroyableObjet.uax</span></span> <span class="giallo-l"><span>..\Sounds\FisherVoice.uax</span></span> <span class="giallo-l"><span>..\Sounds\FisherEquipement.uax</span></span> <span class="giallo-l"><span>..\Sounds\GunCommon.uax</span></span> <span class="giallo-l"><span>..\Sounds\Interface.uax</span></span> <span class="giallo-l"><span>..\Sounds\Electronic.uax</span></span> <span class="giallo-l"><span>..\Sounds\Dog.uax</span></span> <span class="giallo-l"><span>..\Sounds\Lambert.uax</span></span> <span class="giallo-l"><span>..\StaticMeshes\EMeshIngredient.usx</span></span> <span class="giallo-l"><span>..\StaticMeshes\EMeshCharacter.usx</span></span> <span class="giallo-l"><span>..\Textures\2_2_1_Kalinatek_tex.utx</span></span> <span class="giallo-l"><span>..\StaticMeshes\LightGenOBJ.usx</span></span> <span class="giallo-l"><span>..\Textures\ETexRenderer.utx</span></span> <span class="giallo-l"><span>..\Sounds\Door.uax</span></span> <span class="giallo-l"><span>..\Sounds\GenericLife.uax</span></span> <span class="giallo-l"><span>..\Sounds\Special.uax</span></span> <span class="giallo-l"><span>..\Sounds\ThrowObject.uax</span></span> <span class="giallo-l"><span>..\StaticMeshes\Generic_Mesh.usx</span></span> <span class="giallo-l"><span>..\StaticMeshes\prog\generic_obj.usx</span></span> <span class="giallo-l"><span>..\Textures\0_0_Training_tex.utx</span></span> <span class="giallo-l"><span>..\Textures\3_4_Severo_tex.utx</span></span> <span class="giallo-l"><span>..\System\EchelonIngredient.u</span></span> <span class="giallo-l"><span>..\Sounds\Gun.uax</span></span> <span class="giallo-l"><span>..\System\EchelonGameObject.u</span></span> <span class="giallo-l"><span>..\Animations\ESkelIngredients.ukx</span></span> <span class="giallo-l"><span>..\Sounds\Metal.uax</span></span> <span class="giallo-l"><span>..\Animations\ETrk.ukx</span></span> <span class="giallo-l"><span>..\StaticMeshes\2-1_cia_obj.usx</span></span> <span class="giallo-l"><span>..\System\EchelonHUD.u</span></span> <span class="giallo-l"><span>..\Animations\ESam.ukx</span></span> <span class="giallo-l"><span>..\Maps\menu\menu.unr // &lt;--- # 55</span></span> <span class="giallo-l"><span>..\Textures\2_2_Kalinatek_tex.utx</span></span> <span class="giallo-l"><span>..\StaticMeshes\2_2_Kalinatek_OBJ.usx</span></span> <span class="giallo-l"><span>..\System\EchelonPattern.u</span></span> <span class="giallo-l"><span>..\Sounds\S3_4_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S3_4_3Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_2_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_1_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S5_1_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S3_2_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_2_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_1_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_2_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_1_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S0_0_3Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S3_2_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_2_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_3_3Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S0_0_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_3_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_1_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_2_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_3_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S5_1_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_1_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_1_1Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_1_0Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_2_3Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_1_0Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_2_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\Vehicules.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_1_Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S2_1_Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_3_0Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S1_3_2Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\Machine.uax</span></span> <span class="giallo-l"><span>..\Sounds\FireSound.uax</span></span> <span class="giallo-l"><span>..\Sounds\SoundEvent.uax</span></span> <span class="giallo-l"><span>..\Sounds\S0_0_Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_3_Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S4_2_Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\S5_1_Voice.uax</span></span> <span class="giallo-l"><span>..\Sounds\XboxLive.uax</span></span> <span class="giallo-l"><span>..\System\EchelonCharacter.u</span></span> <span class="giallo-l"><span>..\Sounds\GearCommon.uax</span></span> <span class="giallo-l"><span>..\Animations\ENPC.ukx</span></span> <span class="giallo-l"><span>..\Sounds\Exspetsnaz.uax</span></span> <span class="giallo-l"><span>..\Sounds\GeorgianSoldier.uax</span></span> <span class="giallo-l"><span>..\Sounds\RussianMafioso.uax</span></span> <span class="giallo-l"><span>..\Sounds\GeorgianCop.uax</span></span> <span class="giallo-l"><span>..\Sounds\EliteForce.uax</span></span> <span class="giallo-l"><span>..\Sounds\CiaSecurity.uax</span></span> <span class="giallo-l"><span>..\Sounds\CiaAgentMale.uax</span></span> <span class="giallo-l"><span>..\Sounds\ChineseSoldier.uax</span></span> <span class="giallo-l"><span>..\Animations\EFemale.ukx</span></span> <span class="giallo-l"><span>..\Animations\EDog.ukx</span></span> <span class="giallo-l"><span>..\Sounds\GeorgianPalaceGuard.uax</span></span></code></pre><details class="collapse-section my-4"> <summary>File Dumping Script</summary> <div class="collapse-content"> I set a breakpoint in the prologue of a function with the string "<code>LinkerExists</code>" that I later determined to be the constructor for an object called <code>ULinkerLoad</code>. One of the arguments is the file name for this object.</p> <p>When triggered, the breakpoint executes the following IDA Python script which reads the filename pointer, then the filename, outputs it to the IDA console, and continues execution:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span> ida_idd</span><span style="color: #89DDFF;">,</span><span> ida_kernwin</span><span style="color: #89DDFF;">,</span><span> ctypes</span></span> <span class="giallo-l"><span>p</span><span style="color: #89DDFF;">=</span><span>ida_dbg</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">get_reg_val</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">ebx</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>s</span><span style="color: #89DDFF;">=</span><span style="color: #C792EA;">b</span><span style="color: #89DDFF;">&quot;&quot;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">while</span><span style="color: #89DDFF;"> True:</span></span> <span class="giallo-l"><span> c</span><span style="color: #89DDFF;"> =</span><span> ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">p</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> not</span><span> c</span><span style="color: #89DDFF;"> or</span><span> c</span><span style="color: #89DDFF;"> ==</span><span style="color: #C792EA;"> b</span><span style="color: #89DDFF;">&quot;</span><span>\x00\x00</span><span style="color: #89DDFF;">&quot;:</span><span style="color: #89DDFF;font-style: italic;"> break</span></span> <span class="giallo-l"><span> s</span><span style="color: #89DDFF;"> +=</span><span> c; p</span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>ida_kernwin</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">msg</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">ULinkerLoad: </span><span style="color: #89DDFF;">&quot; +</span><span style="color: #82AAFF;"> s</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">decode</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">utf-16-le</span><span style="color: #89DDFF;">&#39;)+&quot;</span><span>\n</span><span style="color: #89DDFF;">&quot;)</span></span></code></pre> </div> </details> <p>In the above file load order I annotated file #55 which is <code>..\Maps\menu\menu.unr</code>. The <code>common.lin</code> file has 54 Linker files and #55 in the above listing happens to be the map which is loading and has its own dedicated <code>.lin</code> file. This is a strong indicator that the <code>common.lin</code> archive genuinely contains only 54 files and anything else is read from level-specific archives.</p> <p>I also set a breakpoint in the function which deserializes exports (called <code>Preload</code>) and did some logging of which export is read and when a stream seek occurred:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>ULinkerLoad: ..\System\Engine.u</span></span> <span class="giallo-l"><span>ULinkerLoad: ..\System\Core.u</span></span> <span class="giallo-l"><span>Export offset: 0x0,0x0,0x0,0x97,0x40f0004,0x4d,0x1b05</span></span> <span class="giallo-l"><span>Seeking to/from: 0x1b05,0x10883</span></span> <span class="giallo-l"><span>Export offset: 0xfffffffe,0x0,0x3,0x13d,0x70004,0x1c,0x6531</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6531,0x1b18</span></span> <span class="giallo-l"><span>Read complete: 0xfffffffe,0x0,0x3,0x13d,0x70004,0x1c,0x6531</span></span> <span class="giallo-l"><span>Seeking to/from: 0x1b18,0x654d</span></span> <span class="giallo-l"><span>Export offset: 0xfffffffe,0x0,0x3,0x13c,0x70004,0x1c,0x6515</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6515,0x1b18</span></span> <span class="giallo-l"><span>Read complete: 0xfffffffe,0x0,0x3,0x13c,0x70004,0x1c,0x6515</span></span> <span class="giallo-l"><span>Seeking to/from: 0x1b18,0x6531</span></span> <span class="giallo-l"><span>Export offset: 0xfffffffe,0x0,0x3,0x119d,0x70004,0x2c,0x6432</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6432,0x1b18</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6451,0x6452</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6453,0x6454</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6454,0x6455</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6455,0x6456</span></span> <span class="giallo-l"><span>Export offset: 0xfffffffd,0x0,0x2d7,0x477,0x70004,0xb,0x1c35</span></span> <span class="giallo-l"><span>Seeking to/from: 0x1c35,0x6457</span></span> <span class="giallo-l"><span>Read complete: 0xfffffffd,0x0,0x2d7,0x477,0x70004,0xb,0x1c35</span></span> <span class="giallo-l"><span>Seeking to/from: 0x6457,0x1c40</span></span> <span class="giallo-l"><span>Export offset: 0xfffffffd,0x0,0x2d7,0x46d,0x70004,0xb,0x2736</span></span></code></pre><details class="collapse-section my-4"> <summary>Export Preload Script</summary> <div class="collapse-content"> IDA Python breakpoint script at <code>Preload</code> entry, identifiable by the string "<code>SerialSize</code>" <strong>and</strong> after the deserialization routine is called:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span> ida_dbg</span><span style="color: #89DDFF;">,</span><span> ida_idd</span><span style="color: #89DDFF;">,</span><span> ida_kernwin</span><span style="color: #89DDFF;">,</span><span> ctypes</span><span style="color: #89DDFF;">,</span><span> time</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>export_addr</span><span style="color: #89DDFF;">=</span><span>ida_dbg</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">get_reg_val</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">ebp</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>class_index</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>super_index</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>package_index</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>object_name</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>object_flags</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 16</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>serial_size</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 20</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>serial_offset</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 24</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>edx</span><span style="color: #89DDFF;">=</span><span>ida_dbg</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">get_reg_val</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">edx</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>properties</span><span style="color: #89DDFF;"> = [</span><span>class_index</span><span style="color: #89DDFF;">,</span><span> super_index</span><span style="color: #89DDFF;">,</span><span> package_index</span><span style="color: #89DDFF;">,</span><span> object_name</span><span style="color: #89DDFF;">,</span><span> object_flags</span><span style="color: #89DDFF;">,</span><span> serial_size</span><span style="color: #89DDFF;">,</span><span> serial_offset</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>ida_kernwin</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">msg</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">Export data: </span><span style="color: #89DDFF;">&quot; + &quot;</span><span style="color: #C3E88D;">,</span><span style="color: #89DDFF;">&quot;.</span><span style="color: #82AAFF;">join</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">hex</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">n</span><span style="color: #89DDFF;">)</span><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #82AAFF;"> n</span><span style="color: #89DDFF;font-style: italic;"> in</span><span style="color: #82AAFF;"> properties</span><span style="color: #89DDFF;">) +&quot;</span><span>\n</span><span style="color: #89DDFF;">&quot;)</span></span></code></pre> </div> </details> <p>There is really no discernable pattern to the loads at all. The file/export load order seems to be just satisfying the dependency graph (exports required for parents/properties of yet-to-be-parsed types) for requested objects from the C++ side of the house.</p> <p>I think an acceptable compromise to doing this statically would be requiring dumping the file/export load order from the game... but more work is needed to prove the viability of this approach.</p> <p>I adjusted my program to read my logged lines into a queue of exports to be parsed, using the <strong>completed</strong> reads (lines starting with <code>Read complete</code> rather than <code>Export offset</code>). It then attempted to find the matching export in the export table across any package, and read its size. Repeat until the next Linker object is encountered, parse that, add it to the list, and repeat.</p> <p>This quickly proved to be non-viable with my very barebones program. I would hit a point where I failed to find a matching export for the line logged, presumably because I was not reading the correct amount of data required to reach the next Unreal Package where that export was declared.</p> <p>This was either a bug, or maybe some of the types attempt to seek+read without triggering a <code>Preload()</code>. At any rate, I had now invested a week or longer on the static approach with no data successfully dumped yet.</p> <h2 id="dumping-at-runtime"><a class="zola-anchor" href="#dumping-at-runtime" aria-label="Anchor link for: dumping-at-runtime" >#</a > Dumping at Runtime</h2> <p>At some point during the above research, I discovered the <a rel="external" href="https://github.com/Joshhhuaaa/EnhancedSC">EnhancedSC</a> project -- a community patch for Splinter Cell 1 on PC which fixes bugs, adds gameplay improvements, and has folks who certainly know the game engine better than me. I joined their Discord and asked if anyone knew about this format and they said that it's been a dead end for anyone who's bothered.</p> <p>They were quite interested though in any progress achieved as they want to port some content from the Xbox versions of the games to PC. Through this community I got some great help with various theories, ideas, and introduced to tooling like <a rel="external" href="https://github.com/UE-Explorer/UE-Explorer">UE-Explorer</a>.</p> <p>After spending about a week on static recompilation I didn't want to spend even more time investing in getting things dumped only to hit a hard wall. For example discovering that the files were wildly different than expected, wouldn't work on PC, or wouldn't work with UE Explorer. I needed to dump <em>something</em>.</p> <p>The game can obviously read the data fine. The thought came to me that perhaps I could just dump the data into some crappy format after it's read that makes piecing it back together easy.</p> <p>While doing static analysis I came across a function that was very peculiar to me. I identified the <code>ULinkerLoad</code> function mentioned earlier by searching for the Unreal Package file magic (highlighted below), and found the following function:</p> <p><a href="/img/splinter-cell/linker_load.png"><img src="/img/splinter-cell/linker_load.png" alt="LinkerLoad HLIL" /></a></p> <p>As expected, the file magic is checked against what's read from disk. But there's another result for the magic in a different function that is <strong>setting</strong> some structure's field to the magic:</p> <p><a href="/img/splinter-cell/linker_save.png"><img src="/img/splinter-cell/linker_save.png" alt="SerializeLinker HLIL" /></a></p> <p>And what is the purpose of this code? As it turns out, user game saves are just Unreal Objects serialized in the same format -- sans compression and other oddities that go along with it!</p> <p><a href="/img/splinter-cell/save_fn.png"><img src="/img/splinter-cell/save_fn.png" alt="SaveObject HLIL" /></a></p> <h3 id="patching-og-xbox-binaries"><a class="zola-anchor" href="#patching-og-xbox-binaries" aria-label="Anchor link for: patching-og-xbox-binaries" >#</a > Patching OG Xbox Binaries</h3> <p>In order to do interesting things, we need to run our own code alongside the game. Debugger scripts are simply too slow and unreliable, so we need something running in the emulator or on a physical device. It'd also be cool if I could write a QEMU plugin for the emulator... but that's another rabbit hole.</p> <p>Injecting code into a game on Windows or Unix is easy. You can <code>CreateRemoteThread()</code> or DLL hijack on Windows, and on Unix use <code>LD_PRELOAD</code>. On Xbox 360 you can "inject" persistent DLLs. On original Xbox, you have one process with (as far as I know), no DLLs.</p> <p>This could probably be a blog post on its own since modern information is pretty scarce (RIP XboxHacker.org), but there are at least two tools I know of that can be used to manipulate original Xbox executables.</p> <ol> <li>The Python library <a rel="external" href="https://github.com/mborgerson/pyxbe">pyxbe</a></li> <li>The CLI tool <a rel="external" href="https://github.com/grimdoomer/XboxImageXploder">XboxImageExploder</a></li> </ol> <p>Both of these tools allow you to add a new section to an executable and basically create a code cave that you can use for placing additional code or data. When the system loads the image, it maps that newly added section with the appropriate permissions. You then need to patch some place in the original executable so that your code runs.</p> <p>Using XboxImageExploder and XePatcher <a rel="external" href="https://github.com/landaire/SplinterCellDumpPatch/blob/main/SplinterCellFileDumper.asm">I was able to write a patch</a> which calls the serialization routine on an object after it gets loaded into memory.</p> <p><strong>tl;dr</strong> of the patch:</p> <ol> <li>Define a hook point at the end of the<code>LoadMap()</code> function. This definition will cause XePatcher to write these instructions that jump execution to <code>Hack_LoadMap</code> at the declared file offset.</li> <li><code>Hack_LoadMap</code> calls <code>Hack_DumpAllLinkers</code> and does the standard epilogue cleanup for <code>LoadMap()</code> which won't be executed since we hijacked execution</li> <li><code>Hack_DumpAllLinkers</code> iterates a global list of <code>Linker</code> objects and calls <code>Hack_DumpFile</code> with that linker as an argument.</li> <li><code>Hack_DumpFile</code> ensures that the output directory for the given <code>Linker</code> file is created, then calls the game-provided function which serializes the <code>Linker</code> to that path. For example, the <code>..\System\Engine.u</code> linker file from the <code>common.lin</code> file will be written to <code>z:\System\Engine.u</code>.</li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="asm"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">;---------------------------------------------------------</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">; At the very end of the LoadMap() routine</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">;---------------------------------------------------------</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">; file offset, not a VA</span></span> <span class="giallo-l"><span style="color: #C792EA;">dd</span><span style="color: #F78C6C;"> 73698h</span></span> <span class="giallo-l"><span style="color: #C792EA;">dd</span><span> (_load_map_return_end - _load_map_return_start)</span></span> <span class="giallo-l"><span style="color: #82AAFF;">_load_map_return_start</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Jump to our detour function</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, Hack_LoadMap</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jmp eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;">_load_map_return_end</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;">_Hack_LoadMapCalled</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #C792EA;"> dd</span><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;">_Hack_LoadMap</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, Hack_DumpAllLinkers</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, Hack_LoadMapCalled</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov</span><span style="color: #C792EA;"> dword</span><span> [</span><span style="color: #89DDFF;">eax</span><span>], </span><span style="color: #F78C6C;">1</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _load_map_restore_registers</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; return value that we clobbered in the</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; hook</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Since we patched in the prologue, we will just</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; do the register restore ourselves</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop edi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov esp</span><span>, </span><span style="color: #89DDFF;">ebp</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop ebp</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> retn</span><span style="color: #F78C6C;"> 8</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;">_Hack_DumpAllLinkers</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> %</span><span style="color: #89DDFF;font-style: italic;">define</span><span> g_ObjectLinkers 0033c42ch</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Load the linker count</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ebx</span><span>, [g_ObjectLinkers + </span><span style="color: #F78C6C;">4</span><span>]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> test ebx</span><span>, </span><span style="color: #89DDFF;">ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jz</span><span> _dump_all_linkers_restore_registers</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; esi will be our index</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov esi</span><span>, </span><span style="color: #F78C6C;">0</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _dump_all_linkers_linker_loop_start</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> cmp esi</span><span>, </span><span style="color: #89DDFF;">ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jz</span><span> _dump_all_linkers_linker_loop_finish</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Iterate the linkers</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, [g_ObjectLinkers]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ecx</span><span>, </span><span style="color: #89DDFF;">esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> imul ecx</span><span>, </span><span style="color: #F78C6C;">4</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> add eax</span><span>, </span><span style="color: #89DDFF;">ecx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, [</span><span style="color: #89DDFF;">eax</span><span>]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ecx</span><span>, Hack_DumpFile</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call ecx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esp</span><span>, (</span><span style="color: #F78C6C;">4</span><span> * </span><span style="color: #F78C6C;">1</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _dump_all_linkers_linker_loop_end</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> inc esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jmp</span><span> _dump_all_linkers_linker_loop_start</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _dump_all_linkers_linker_loop_finish</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> _dump_all_linkers_restore_registers</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ret</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;">_Hack_DumpFile</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Load the argument representing the</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; object that&#39;s being saved</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, [</span><span style="color: #89DDFF;">esp</span><span> + </span><span style="color: #F78C6C;">4</span><span>]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Save registers</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push edi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push ebx</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov edi</span><span>, </span><span style="color: #89DDFF;">eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _dump_file_do_dump</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Iterate the object&#39;s exports and save their flags</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; ==== NOT USED</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Grab the export data pointer</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ;mov ecx, [edi + 0x88]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Grab the number of exports</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ;mov ebx, [edi + 0x8C]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; ==== NOT USED</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Allocate space for the file path</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> sub esp</span><span>, </span><span style="color: #F78C6C;">0x200</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Grab the linker&#39;s filename</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, [</span><span style="color: #89DDFF;">edi</span><span> + </span><span style="color: #F78C6C;">0x98</span><span>]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Put the input filename in esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov esi</span><span>, </span><span style="color: #89DDFF;">eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; If the input filename is empty, jump to the cleanup routine</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; since this is not a file that&#39;s in the packed .lin</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> cmp</span><span style="color: #C792EA;"> word</span><span> [</span><span style="color: #89DDFF;">eax</span><span>], </span><span style="color: #F78C6C;">0</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jz</span><span> _Hack_DumpFile_Done</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ;===== DIRECTORY CREATION</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; The file path is located at the beginning of the stack</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ebx</span><span>, </span><span style="color: #89DDFF;">esp</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Set the filename on the stack to `z:`</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; This has to be a char*, not a wchar_t*</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov</span><span style="color: #C792EA;"> byte</span><span> [</span><span style="color: #89DDFF;">esp</span><span>], &#39;z&#39;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov</span><span style="color: #C792EA;"> byte</span><span> [</span><span style="color: #89DDFF;">esp</span><span> + </span><span style="color: #F78C6C;">1</span><span>], &#39;:&#39;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; This will hold our position in the path we&#39;re building</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ebx</span><span>, </span><span style="color: #F78C6C;">0</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _Hack_DumpFile_File_Directory</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; We are looking for a backslash</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; this is wchar_t `\`</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push</span><span style="color: #F78C6C;"> 0x005c</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Grab the position of the last backslash for the</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; input file</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, appStrchr</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esp</span><span>, (</span><span style="color: #F78C6C;">4</span><span> * </span><span style="color: #F78C6C;">2</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Not found</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> test eax</span><span>, </span><span style="color: #89DDFF;">eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jz</span><span> _Hack_DumpFile_Directory_Finish</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; We found a slash -- check if we&#39;ve discarded the first</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; bit of data before the slash (it&#39;s expected to start</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; with &quot;..\&quot; )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> test ebx</span><span>, </span><span style="color: #89DDFF;">ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jnz</span><span> _Hack_DumpFile_File_Directory_Create_Directory</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Update ebx to point to the first slash so we can use it</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; for later copying.</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ebx</span><span>, </span><span style="color: #89DDFF;">eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jmp</span><span> _hack_dumpfile_directory_end</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _Hack_DumpFile_File_Directory_Create_Directory</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Skip the Z: part for the dest file path</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> lea ecx</span><span>, [</span><span style="color: #89DDFF;">esp</span><span> + </span><span style="color: #F78C6C;">2</span><span>]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push edx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Start of the linker&#39;s file path</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov esi</span><span>, </span><span style="color: #89DDFF;">ebx</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Copy from ebx to eax</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> _hack_dump_file_copy_directory_loop</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> cmp esi</span><span>, </span><span style="color: #89DDFF;">eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> je</span><span> _hack_dump_file_copy_directory_loop_finish</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov dl</span><span>, [</span><span style="color: #89DDFF;">esi</span><span>]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov</span><span> [</span><span style="color: #89DDFF;">ecx</span><span>], </span><span style="color: #89DDFF;">dl</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> inc ecx</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; we&#39;re doing some janky wchar_t to char</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; conversion tricks</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esi</span><span>, </span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> jmp</span><span> _hack_dump_file_copy_directory_loop</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _hack_dump_file_copy_directory_loop_finish</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Add null terminator</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov</span><span style="color: #C792EA;"> byte</span><span> [</span><span style="color: #89DDFF;">ecx</span><span>], </span><span style="color: #F78C6C;">0</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop edx</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ecx</span><span>, </span><span style="color: #89DDFF;">esp</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Make sure we don&#39;t clobber eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Attributes</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push</span><span style="color: #F78C6C;"> 0x0</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Create this directory</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push ecx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ecx</span><span>, CreateDirectory</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call ecx</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; cdecl function, it cleans up</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _hack_dumpfile_directory_end</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Save the position</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> lea esi</span><span>, [</span><span style="color: #89DDFF;">eax</span><span> + </span><span style="color: #F78C6C;">2</span><span>]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> jmp</span><span> _Hack_DumpFile_File_Directory</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _Hack_DumpFile_Directory_Finish</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Set the file path we want to copy</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov esi</span><span>, </span><span style="color: #89DDFF;">ebx</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ;===== FILE CREATION</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; The file path is located at the beginning of the stack</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov ebx</span><span>, </span><span style="color: #89DDFF;">esp</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Set the start of VeryLongString to `Z:`</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push</span><span> ZDrive</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, wstrcpy</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esp</span><span>, (</span><span style="color: #F78C6C;">4</span><span> * </span><span style="color: #F78C6C;">2</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Set the copy target to the bytes immediatley</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; following `z:`, so the result should be</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; `z:\filename`</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> lea eax</span><span>, [</span><span style="color: #89DDFF;">ebx</span><span> + </span><span style="color: #F78C6C;">4</span><span>]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Copy the filename to the path buffer</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Set ESI to the full file path for later use</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov esi</span><span>, </span><span style="color: #89DDFF;">ebx</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> push eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, wstrcpy</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esp</span><span>, (</span><span style="color: #F78C6C;">4</span><span> * </span><span style="color: #F78C6C;">2</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Error</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov edx</span><span>, </span><span style="color: #C792EA;">dword</span><span> [GlobalError]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; InOuter</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, [</span><span style="color: #89DDFF;">edi</span><span> + </span><span style="color: #F78C6C;">2Ch</span><span>]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Pad size?</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push</span><span style="color: #F78C6C;"> 0xFFFFFFFF</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Conform</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push</span><span style="color: #F78C6C;"> 0x0</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Error</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push edx</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Filename</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push esi</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; TopLeveLFlags</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push</span><span> -</span><span style="color: #F78C6C;">1</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Base</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push edi</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; InOuter</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> push eax</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; ( UObject* InOuter,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; UObject* Base,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; DWORD TopLevelFlags,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; const TCHAR* Filename,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; FOutputDevice* Error=GError,</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; ULinkerLoad* Conform=NULL );</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> mov eax</span><span>, UObject_SavePackage</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> call eax</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esp</span><span>, (</span><span style="color: #F78C6C;">7</span><span> * </span><span style="color: #F78C6C;">4</span><span>)</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _Hack_DumpFile_Done</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Restore the stack to clean up the file</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; path</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> add esp</span><span>, </span><span style="color: #F78C6C;">0x200</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Restore the export flags</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> _dump_file_restore_registers</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> ; Restore saved registers</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop ebx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop esi</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> pop edi</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> ret</span></span> <span class="giallo-l"></span></code></pre> <p><em>Why assembly?</em> Sunk cost and not wanting to figure out tooling required to compile C to shell code targeting this platform. The functions could be written in C. The detour hooks must remain assembly.</p> <h2 id="results"><a class="zola-anchor" href="#results" aria-label="Anchor link for: results" >#</a > Results</h2> <p>We can now read the output files in UE Explorer, and even run the Xbox main menu and the in-engine cinematic from the first level on PC... albeit with some bugged lighting and textures. Anything past that first level cinematic, including the interactive bit of the level itself, has failed to load.</p> <p>The above patch, dumping at <code>LoadMap()</code> end, resulted in the most reliable file dumping out of my many experiments. At the end of this function it seems nearly all data is read and ready to go, but there are definitely a couple of objects deserialized after this point. Dumping after all object reads are complete though actually seems to make things worse -- maybe because some object properties have changed in-memory from their default values?</p> <p>Loading an Xbox file in UE Explorer:</p> <p><a href="/img/splinter-cell/ue_explorer.png"><img src="/img/splinter-cell/ue_explorer.png" alt="Engine.Engine package in UE Explorer" /></a></p> <p>First level cinematic which should have a dimly-lit hallway with shadows:</p> <p><a href="/img/splinter-cell/level_load.webp"><img src="/img/splinter-cell/level_load.webp" alt="Training Mission Load" /></a></p> <p>Swapping a texture had some problems:</p> <p><a href="/img/splinter-cell/corrupt_textures.png"><img src="/img/splinter-cell/corrupt_textures.png" alt="Bugged Textures" /></a></p> <p>In fact, the textures were just straight up incomplete data. Since literally every texture object had a small size I figured that between the time the object was deserialized and the point I dumped it the original texture data must have been transformed to the target format and the original free'd.</p> <p>To confirm my assumption, I set a breakpoint in the function which kicks off object deserialization so that it would break immediately before:</p> <details class="collapse-section my-4"> <summary>Targeted Export Breakpoint Code</summary> <div class="collapse-content"> I set a breakpoint in the <code>Preload()</code> routine immediately before object deserialization with the following script.</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span> ida_dbg</span><span style="color: #89DDFF;">,</span><span> ida_idd</span><span style="color: #89DDFF;">,</span><span> ida_kernwin</span><span style="color: #89DDFF;">,</span><span> ctypes</span><span style="color: #89DDFF;">,</span><span> time</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>export_addr</span><span style="color: #89DDFF;">=</span><span>ida_dbg</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">get_reg_val</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">ebp</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>serial_offset</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 24</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>class_index</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>super_index</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>package_index</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>object_name</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>object_flags</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 16</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>serial_size</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 20</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span>serial_offset</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">from_bytes</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">ida_idd</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">dbg_read_memory</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">export_addr</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 24</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">), &quot;</span><span style="color: #C3E88D;">little</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>edx</span><span style="color: #89DDFF;">=</span><span>ida_dbg</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">get_reg_val</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">edx</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>properties</span><span style="color: #89DDFF;"> = [</span><span>class_index</span><span style="color: #89DDFF;">,</span><span> super_index</span><span style="color: #89DDFF;">,</span><span> package_index</span><span style="color: #89DDFF;">,</span><span> object_name</span><span style="color: #89DDFF;">,</span><span> object_flags</span><span style="color: #89DDFF;">,</span><span> serial_size</span><span style="color: #89DDFF;">,</span><span> serial_offset</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>ida_kernwin</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">msg</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">Export offset: </span><span style="color: #89DDFF;">&quot; + &quot;</span><span style="color: #C3E88D;">,</span><span style="color: #89DDFF;">&quot;.</span><span style="color: #82AAFF;">join</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">hex</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">n</span><span style="color: #89DDFF;">)</span><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #82AAFF;"> n</span><span style="color: #89DDFF;font-style: italic;"> in</span><span style="color: #82AAFF;"> properties</span><span style="color: #89DDFF;">) +&quot;</span><span>\n</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Break only when the object offset matches my target</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">return</span><span> serial_offset</span><span style="color: #89DDFF;"> ==</span><span style="color: #C792EA;"> 0x</span><span style="color: #F78C6C;">11f65f</span></span></code></pre> </div> </details> <p>Then I set a breakpoint in the data read function and examined where the texture data from disk was being copied to. I had to do some stepping through to figure out where this destination pointer originated, then located immediately next to <em>that</em> pointer is the dynamic array's length and capacity. Set a Memory Write breakpoint on the length field and wait for it to go to zero. Wherever it happened, that was the code and the <code>realloc</code> immediately following had to simply get nop'd out to prevent the texture data from being evicted.</p> <p>After adjusting my patch and dumping data again I noted that the texture file's size changed dramatically and I now had some nice textures to look at:</p> <p><a href="/img/splinter-cell/cia_flag_texture.png"><img src="/img/splinter-cell/cia_flag_texture.png" alt="CIA Flag Texture" /></a></p> <p><a href="/img/splinter-cell/hud_texture.png"><img src="/img/splinter-cell/hud_texture.png" alt="HUD Texture" /></a></p> <h2 id="general-issues-with-dumping"><a class="zola-anchor" href="#general-issues-with-dumping" aria-label="Anchor link for: general-issues-with-dumping" >#</a > General Issues With Dumping</h2> <p>Since exports are lazy loaded, you can only dump what's used in a level. The main menu uses some functionality from <code>Engine</code> and <code>Core</code>, but not all of it. So if I load the main menu map and dump all the linkers when it's finished loading, I will only have a partial representation of <code>Engine</code> and <code>Core</code>.</p> <p>In the same vein, anything unreferenced or unused which might by happenstance be in the archive cannot be easily recovered without intelligent brute forcing since you don't know where its data starts. e.g. the main menu has some brushes which are in the export table but appear to be unused, so nothing ever triggers their appropriate load.</p> <h2 id="next-steps"><a class="zola-anchor" href="#next-steps" aria-label="Anchor link for: next-steps" >#</a > Next Steps</h2> <p>While we've had some wins with dumping data and I feel I've accomplished a lot, I'm not going to be satisfied until I can cleanly dump anything I want from the game. A major milestone would be to get the training mission on Xbox completely working on PC. I'm going to try to make some strides here and if I hit a wall, I'll at least try to dump some data from the review copy of the game.</p> <p>This format can certainly be read statically <em>with</em> load-order knowledge from the game engine. I'm hoping for now that someone from the community can use the work presented in this blog post to get it working in Unreal-Library.</p> <p>Static recompilation would be a much more general approach which I hope only requires two debugger breakpoint scripts to dump package filenames and export loads on a per-game basis rather than a binary patch. We already have this for SC1. The difficulty would be in contributing to UELib (or some other project) so that it can match the game's exact I/O behavior and deserialize multiple packages simultaneously using the load-order data. If this interests you, <a rel="external" href="https://github.com/EliotVU/Unreal-Library/issues/125">check out the issue I filed in the project repo</a>.</p> <p>If you have questions, feel free to reach out to me on Twitter: <a rel="external" href="https://x.com/landaire">@landaire</a>.</p> <h2 id="thanks"><a class="zola-anchor" href="#thanks" aria-label="Anchor link for: thanks" >#</a > Thanks</h2> <ul> <li>Grimdoomer for getting me up to speed with writing OG Xbox patches and for listening to my rants about this format.</li> <li>To the EnhancedSC developer community for helping inspect my dumped files and for investing in what success we've had so far.</li> <li>EliotVU for developing the great UE Explorer and UELib.</li> <li>The folks who documented their own findings on this format before me. Every little bit of information helps.</li> </ul> 2025-10-03T00:00:00+00:00 2025-10-03T00:00:00+00:00 Unknown https://landaire.net/jj-evolog/ <p><a rel="external" href="https://github.com/jj-vcs/jj"><code>jj</code> (jujutsu)</a> is a newish git-compatible version control system that has some fresh ideas and a pretty great CLI UX (compared to <code>git</code>). I had a moment recently where I hadn't yet committed my changes and while attempting to format the code I inadvertently made my diff <em>way</em> larger than it should have been.</p> <p>Here's what happened:</p> <ol> <li>I made some changes that I was quite happy with and did a quick <code>jj diff</code> / <code>jj status</code> to make sure there was nothing I was accidentally including in the change.</li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #FFCB6B;">❯</span><span style="color: #C3E88D;"> : jj status</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Working</span><span style="color: #C3E88D;"> copy changes:</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> Cargo.toml</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/de.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/lib.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/ser.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/value.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/value_impls.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Working</span><span style="color: #C3E88D;"> copy</span><span> (@) </span><span style="color: #82AAFF;">:</span><span> zxsrvopz 43a4bc7d master </span><span style="color: #89DDFF;">|</span><span style="color: #FFCB6B;"> de:</span><span style="color: #C3E88D;"> very rough PoC of refcounted data</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Parent</span><span style="color: #C3E88D;"> commit</span><span> (@-): xlzooroo 9b8d55a1 core: update quickcheck + rand and tests (</span><span style="color: #FFCB6B;">tests</span><span style="color: #C3E88D;"> failing</span><span>)</span></span></code></pre> <ol start="2"> <li> <p>I noticed that the changes were not well-formatted, so I ran <code>cargo fmt</code></p> </li> <li> <p>I ran <code>jj status</code> and had an <em>oh shit</em> moment when I realized way more files were changed from the <code>cargo fmt</code> than I thought would be.</p> </li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #FFCB6B;">❯</span><span style="color: #C3E88D;"> : jj status</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Working</span><span style="color: #C3E88D;"> copy changes:</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> Cargo.toml</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/consts.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/de.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/error.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/lib.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/ser.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/value.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> src/value_impls.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> test/arby.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">M</span><span style="color: #C3E88D;"> test/mod.rs</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Working</span><span style="color: #C3E88D;"> copy</span><span> (@) </span><span style="color: #82AAFF;">:</span><span> zxsrvopz 69322ff0 master </span><span style="color: #89DDFF;">|</span><span style="color: #FFCB6B;"> de:</span><span style="color: #C3E88D;"> very rough PoC of refcounted data</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Parent</span><span style="color: #C3E88D;"> commit</span><span> (@-): xlzooroo 9b8d55a1 core: update quickcheck + rand and tests (</span><span style="color: #FFCB6B;">tests</span><span style="color: #C3E88D;"> failing</span><span>)</span></span></code></pre> <p>So now I have a problem: how do I undo the <code>cargo fmt</code> step?</p> <p><em>Note: <a rel="external" href="https://lobste.rs/s/xmlpu8/saving_my_commit_with_jj_evolog#c_a6bdjg">A lobste.rs reader helpfully pointed out</a> that <code>jj undo</code> would actually suffice at this point! Let's pretend like this is more involved though :p</em></p> <h2 id="enter-jj-evolog"><a class="zola-anchor" href="#enter-jj-evolog" aria-label="Anchor link for: enter-jj-evolog" >#</a > Enter <code>jj evolog</code></h2> <p>One of <code>jj</code>'s commands is <a rel="external" href="https://jj-vcs.github.io/jj/latest/cli-reference/#jj-evolog"><code>evolog</code></a>, which "shows how a change has evolved over time". <code>jj</code> takes a snapshot of the working copy every time a command is run, so when I ran <code>jj diff</code> to check my work, it recorded a snapshot of my working copy from the last time I ran a <code>jj</code> command.</p> <p>Running <code>jj evolog</code> you'll see something like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #FFCB6B;">❯</span><span style="color: #C3E88D;"> : jj evolog</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">○</span><span style="color: #C3E88D;"> mmxmynwt hidden example@example.com 2025-10-03 18:08:05 7aa68914</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">│</span><span> (no</span><span style="color: #C3E88D;"> description set</span><span>)</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">│</span><span style="color: #C3E88D;"> -- operation f606802e1b09</span><span> (2025-10-03</span><span style="color: #C3E88D;"> 18:08:05</span><span>) snapshot working copy</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">○</span><span style="color: #C3E88D;"> mmxmynwt hidden example@example.com 2025-10-03 18:07:58 4970219f</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (</span><span style="color: #FFCB6B;">empty</span><span style="color: #89DDFF;">) (</span><span style="color: #FFCB6B;">no</span><span style="color: #C3E88D;"> description set</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> --</span><span style="color: #C3E88D;"> operation bb8323da564f</span><span> (2025-10-03</span><span style="color: #C3E88D;"> 18:07:58</span><span>) new empty commit</span></span></code></pre> <p>Pretending that there's more than the <em>empty commit</em> and <em>snapshot working copy</em> operations, this on its own is not super helpful in identifying what happened in each operation.</p> <p>Running <code>jj evolog -p</code> shows more details:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>❯ : jj evolog -p</span></span> <span class="giallo-l"><span>@ zxsrvopz example@example.com 2025-10-03 18:07:03 master 69322ff0</span></span> <span class="giallo-l"><span>│ de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span>│ -- operation 0df245508eb8 (2025-10-03 18:07:03) snapshot working copy</span></span> <span class="giallo-l"><span>│ src/consts.rs --- Rust</span></span> <span class="giallo-l"><span>│ No syntactic changes.</span></span> <span class="giallo-l"><span>│</span></span> <span class="giallo-l"><span>│ src/error.rs --- 1/3 --- Rust</span></span> <span class="giallo-l"><span>│ 6 6</span></span> <span class="giallo-l"><span>│ 7 //! Error objects and codes 7 //! Error objects and codes</span></span> <span class="giallo-l"><span>│ 8 8</span></span> <span class="giallo-l"><span>│ 9 use std::fmt; 9 use serde::{de, ser};</span></span> <span class="giallo-l"><span>│ 10 use std::io; 10 use std::error;</span></span> <span class="giallo-l"><span>│ 11 use std::error; 11 use std::fmt;</span></span> <span class="giallo-l"><span>...skipping...</span></span> <span class="giallo-l"><span>○ zxsrvopz hidden example@example.com 2025-10-02 19:31:08 43a4bc7d</span></span> <span class="giallo-l"><span> de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span> Cargo.toml --- TOML</span></span> <span class="giallo-l"><span> 10 edition = &quot;2024&quot;</span></span> <span class="giallo-l"><span> 11</span></span> <span class="giallo-l"><span> 12 [dependencies]</span></span> <span class="giallo-l"><span> 13 serde = { version = &quot;1.0.104&quot;, features = [&quot;rc&quot;] }</span></span> <span class="giallo-l"><span> 14 byteorder = &quot;1.3.2&quot;</span></span> <span class="giallo-l"><span> 15 num-bigint = &quot;0.4.0&quot;</span></span> <span class="giallo-l"><span> 16 num-traits = &quot;0.2.10&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> src/lib.rs --- Rust</span></span> <span class="giallo-l"><span> 68 68 //!</span></span> <span class="giallo-l"><span> 69 69 //! The minimum supported version of the toolchain is 1.41.1.</span></span> <span class="giallo-l"><span> 70 ..</span></span> <span class="giallo-l"><span> 71 .. #![cfg_attr(feature = &quot;unstable&quot;, feature(test))]</span></span> <span class="giallo-l"><span> 72 70</span></span> <span class="giallo-l"><span> 73 71 pub use self::ser::{</span></span> <span class="giallo-l"><span> 74 72 Serializer,</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span>/* The rest */</span></span></code></pre> <p>There are two important lines here:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>@ zxsrvopz example@example.com 2025-10-03 18:07:03 master 69322ff0</span></span></code></pre> <p>And</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>○ zxsrvopz hidden example@example.com 2025-10-02 19:31:08 43a4bc7d</span></span></code></pre> <p><code>zxsrvopz</code> is the <strong>change ID</strong> (which is the same for both lines) while <code>43a4bc7d</code> and <code>69322ff0</code> are the unique <strong>commit IDs</strong>. In the above output I just searched for <code>zx</code> to jump from the first commit to the second and saw that the second is what I wanted to restore to.</p> <p>So now I can <code>jj edit 43a4bc7d</code> to jump back to that specific operation and I see the following output:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>❯ : jj edit 43a4bc7d</span></span> <span class="giallo-l"><span>Working copy (@) now at: zxsrvopz?? 43a4bc7d de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span>Parent commit (@-) : xlzooroo 9b8d55a1 core: update quickcheck + rand and tests (tests failing)</span></span> <span class="giallo-l"><span>Added 0 files, modified 8 files, removed 0 files</span></span></code></pre> <p>See the <code>zxsrvopz??</code> change ID? If the above was appropriately highlighted you'd see it in red, but <code>jj</code> now is telling me that I have a conflicted change by placing that text in red and showing the <code>??</code> after the change ID. If I run <code>jj log</code> I see my history has branched and I have two changes with the same ID:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>❯ : jj log</span></span> <span class="giallo-l"><span>@ zxsrvopz?? example@example.com 2025-10-02 19:31:08 43a4bc7d</span></span> <span class="giallo-l"><span>│ de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span>│ ○ zxsrvopz?? example@example.com 2025-10-03 18:07:03 master 69322ff0</span></span> <span class="giallo-l"><span>├─╯ de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span>○ xlzooroo example@example.com 2025-10-02 17:00:07 git_head() 9b8d55a1</span></span> <span class="giallo-l"><span>│ core: update quickcheck + rand and tests (tests failing)</span></span></code></pre> <p>The change starting with <code>@</code> is the revision I'm currently on while the other with a <code>○</code> is the forked revision. I can now resolve this conflict by simply abandoning the other change:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>&gt; : jj abandon 69322ff0</span></span> <span class="giallo-l"><span>Abandoned 1 commits:</span></span> <span class="giallo-l"><span> zxsrvopz?? 69322ff0 master | de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span>Deleted bookmarks: master</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>❯ : jj log</span></span> <span class="giallo-l"><span>@ zxsrvopz example@example.com 2025-10-02 19:31:08 43a4bc7d</span></span> <span class="giallo-l"><span>│ de: very rough PoC of refcounted data</span></span> <span class="giallo-l"><span>○ xlzooroo example@example.com 2025-10-02 17:00:07 git_head() 9b8d55a1</span></span> <span class="giallo-l"><span>│ core: update quickcheck + rand and tests (tests failing)</span></span></code></pre> <p>And we're fixed!</p> <p>I've reproduced what happened here in a short shell session which will have better highlighting and more info (note: clicking will take you to <code>asciinema.org</code>):</p> <p><a rel="external" href="https://asciinema.org/a/bqfYzlHbdAJegjV4xZ7cQqZgj"><img src="https://asciinema.org/a/bqfYzlHbdAJegjV4xZ7cQqZgj.svg" alt="asciicast" /></a></p> 2024-08-13T00:00:00+00:00 2024-08-13T00:00:00+00:00 Unknown https://landaire.net/reflective-pe-loader-for-xbox/ <p>Emma (<a rel="external" href="https://twitter.com/carrot_c4k3">@carrot_c4k3</a>) is a good friend of mine. We met in 2007 from the Xbox 360 scene and have remained friends ever since. She recently participated in pwn2own in the Windows LPE category and ended up using a great bug for LPE.</p> <p>The bug far exceeded the category though: this vulnerability was also a <em>sandbox escape</em>, i.e. it's in an NT syscall which is reachable from the UWP sandbox. A couple months ago she got a wild idea: why not try to port the exploit over to the Xbox One? (Modern Xboxes, not to be confused with the OG Xbox)</p> <h2 id="brief-primer-on-the-xbox-one-s-security"><a class="zola-anchor" href="#brief-primer-on-the-xbox-one-s-security" aria-label="Anchor link for: brief-primer-on-the-xbox-one-s-security" >#</a > Brief Primer on the Xbox One's Security</h2> <p>Since I'll be talking about this in the context of the Xbox, it's worthwhile to spend a moment discussing the Xbox One's security model. There's <a rel="external" href="https://www.youtube.com/watch?v=U7VwtOrwceo">a very great and in-depth overview of the Xbox One's security model on YouTube</a> presented by Tony Chen who is one of the folks who designed it. I highly recommend watching it if you're interested, but I'll do my best at giving a crash course:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>┌────────────────────────────┐ ┌────────────────────────────┐</span></span> <span class="giallo-l"><span>│ │ │ │</span></span> <span class="giallo-l"><span>│ │ │ │</span></span> <span class="giallo-l"><span>│ │ │ │</span></span> <span class="giallo-l"><span>│ │ │ │</span></span> <span class="giallo-l"><span>│ ERA (GameOS) │ │ SystemOS │</span></span> <span class="giallo-l"><span>│ │ │ │</span></span> <span class="giallo-l"><span>│ │ │ │</span></span> <span class="giallo-l"><span>│ │ │ │ │ │</span></span> <span class="giallo-l"><span>│ │ │ │ │ │</span></span> <span class="giallo-l"><span>└────────────────────────────┘ └─────┼─────────────┼┬───────┤</span></span> <span class="giallo-l"><span> │ │ ││ VMBus │</span></span> <span class="giallo-l"><span> │ │ │└───────┘</span></span> <span class="giallo-l"><span>┌──────────────┼─────────────────────────┼─────────────┼────────┐</span></span> <span class="giallo-l"><span>│ │ ▼ ▼ │</span></span> <span class="giallo-l"><span>│ │ HostOS ┌──────────┐ ┌───────────────┤</span></span> <span class="giallo-l"><span>│ │ │ Synthetic│ │ VSPs/Normal │</span></span> <span class="giallo-l"><span>│ └──────────────────▶│ Devices │ │ Hyper-V Stuff │</span></span> <span class="giallo-l"><span>└──────────────────────────────────┴──────────┴─┴───────────────┘</span></span> <span class="giallo-l"><span>┌───────────────────────────────────────────────────────────────┐</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ Hypervisor │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>│ │</span></span> <span class="giallo-l"><span>└───────────────────────────────────────────────────────────────┘</span></span></code></pre> <p>This is a very, very simplified drawing of what you'd find on Microsoft's <a rel="external" href="https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/hyper-v-architecture">Hyper-V Architecture page</a>. The main thing I'm trying to highlight here is that there are 3 VMs with 3 different purposes:</p> <ol> <li>HostOS, which acts very similar to your standard Hyper-V host.</li> <li>ERA OS (aka GameOS) which is where games run.</li> <li>SystemOS which is where applications run. Here you'll find the system shell and UWP applications from the Windows Store.</li> </ol> <p>Each VM is running a very slimmed down version of Windows based on Windows Core OS (WCOS). The Hyper-V architecture is mostly what you'd encounter on a normal PC but with some additional Xbox-specific VSPs/functionality.</p> <p>Missing from the above diagram is the <em>security processor</em> (SP). The Xbox One's security processor should be the only thing on the Xbox which can reveal a title's plaintext on Xbox One. (<em>Random fact: Microsoft's <a rel="external" href="https://learn.microsoft.com/en-us/windows/security/hardware-security/pluton/microsoft-pluton-security-processor">Pluton Processor</a> is based on learnings from the Xbox One's security processor</em>)</p> <p>The core idea behind all of this is to <strong>make piracy extremely difficult</strong>, if not impossible without breaking the SP. If you <em>do</em> hack the Xbox One, you can't do it online trivially because the SP will attest that the console's state is something unexpected.</p> <h2 id="ok-how-does-this-relate-to-the-pe-loader"><a class="zola-anchor" href="#ok-how-does-this-relate-to-the-pe-loader" aria-label="Anchor link for: ok-how-does-this-relate-to-the-pe-loader" >#</a > OK, How Does This Relate to the PE loader?</h2> <p>Unrelated to her pwn2own entry, Emma found a vulnerability/feature in an application on the Xbox One marketplace called <em>GameScript</em>, which is an ImGui UI for messing with the <a rel="external" href="https://github.com/kgabis/ape">Ape programming language</a>.</p> <p><a rel="external" href="https://gist.github.com/carrot-c4k3/10fdb4f3d11ca568f5452bbaefdc20dd">Through this vulnerability</a> Emma was able to read/write arbitrary memory and run shellcode. So we have arbitrary code execution in SystemOS, but now the problem: writing shellcode is a pain, so how can we run arbitrary <em>executables</em> easily?</p> <p>We have the ability to read/write arbitrary memory and change page permissions which is enough to write a portable executable (PE/.exe) loader. Emma asked if I would write one since it would simplify the exploit development pipeline while she worked on porting her LPE exploit over and it'll be useful for homebrew later on too. Easy enough right?</p> <p><strong>Wrong.</strong></p> <h2 id="reinventing-the-wheel"><a class="zola-anchor" href="#reinventing-the-wheel" aria-label="Anchor link for: reinventing-the-wheel" >#</a > Reinventing the Wheel</h2> <p>The specific technique of PE loading outlined here is referred to as "Reflective PE Loading". To me this sounds like some #redteam term I'd never heard before embarking on this project, and is not very descriptive in my opinion... but a "reflective PE loader" is simply some user-mode code that can load and execute a PE without going through the normal <code>LoadLibrary()</code> / <code>CreateProcess()</code> routines .</p> <p>Avoiding <code>LoadLibrary()</code> and <code>CreateProcess()</code> is very important for us since those will check for code integrity and any code we write will not be properly signed.</p> <p>I took a look at the work involved and decided I wanted to write my own loader for multiple reasons:</p> <ol> <li> <p>I despise dealing with C/C++ build systems.</p> </li> <li> <p>Since I'm targeting <em>Xbox Windows</em> and not <em>desktop Windows</em>, I might encounter some problems and I know how to debug my own code better than someone else's.</p> </li> <li> <p>On the Xbox we're required to use a PE loader for running unsigned executables until we eventually break code integrity. So we better know how it works and be able to load complex applications.</p> </li> <li> <p>I don't give a shit about EDR evasion or any #redteam stuff like that.</p> </li> <li> <p>We originally had some very, very strict size constraints that we found a workaround for, but we want to be able to control the loader size as much as possible.</p> </li> <li> <p>It seemed simple enough at the time to just rewrite it in Rust, so I did.</p> </li> </ol> <p>For my project's base I combined two open-source Rust projects:</p> <ul> <li><a rel="external" href="https://github.com/b1tg/rust-windows-shellcode">b1tg/rust-windows-shellcode</a> which provided a great template for writing and building Windows shellcode in Rust.</li> <li><a rel="external" href="https://github.com/Thoxy67/rspe">Thoxy67/rspe</a> which provides a basic reflective loader.</li> </ul> <p>rspe already got me most of the way there, but with a few caveats:</p> <ul> <li>It needed some cleanup (e.g. lots of unnecessary copies)</li> <li>It did not support loading imports by ordinal</li> <li>It did not support thread-local storage at all</li> <li>It did not support command line arguments</li> <li>It did not support environments with W^X mitigations</li> <li>It did not work with <em>shellcode-based programming</em> in mind.</li> </ul> <details class="collapse-section my-4"> <summary>What is shellcode-based programming?</summary> <div class="collapse-content"> On that last point above you might be wondering, "What is shellcode-based programming?" Well why don't I just give an example. Here's how a <code>VirtualAlloc()</code> call in <code>rspe</code> worked before:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #89DDFF;">#[</span><span>link</span><span style="color: #89DDFF;">(</span><span>name </span><span style="color: #89DDFF;">= &quot;</span><span style="color: #C3E88D;">kernel32</span><span style="color: #89DDFF;">&quot;)]</span></span> <span class="giallo-l"><span style="color: #C792EA;">extern</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">system</span><span style="color: #89DDFF;">&quot; {</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> pub fn</span><span style="color: #82AAFF;"> VirtualAlloc</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> lpaddress</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> dwsize</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> flallocationtype</span><span style="color: #89DDFF;">:</span><span> VIRTUAL_ALLOCATION_TYPE</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> flprotect</span><span style="color: #89DDFF;">:</span><span> PAGE_PROTECTION_FLAGS</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ) -&gt; *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Allocate memory for the image</span></span> <span class="giallo-l"><span style="color: #C792EA;">let</span><span> baseptr</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> VirtualAlloc</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">ptr</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">null_mut</span><span style="color: #89DDFF;">(),</span><span style="color: #464B5D;font-style: italic;"> // lpAddress: A pointer to the starting address of the region to allocate.</span></span> <span class="giallo-l"><span> imagesize</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // dwSize: The size of the region, in bytes.</span></span> <span class="giallo-l"><span> MEM_COMMIT</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // flAllocationType: The type of memory allocation.</span></span> <span class="giallo-l"><span> PAGE_EXECUTE_READWRITE</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // flProtect: The memory protection for the region of pages to be allocated.</span></span> <span class="giallo-l"><span style="color: #89DDFF;">);</span></span></code></pre> <p>And here's how this would look with shellcode-based programming:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #F78C6C;">pub</span><span style="color: #C792EA;"> type</span><span style="color: #FFCB6B;"> VirtualAllocFn</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #C792EA;"> extern</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">system</span><span style="color: #89DDFF;">&quot;</span><span style="color: #82AAFF;"> fn</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> lpAddress</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> dwSize</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> flAllocationType</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> flProtect</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">) -&gt;</span><span> PVOID</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F78C6C;">pub fn</span><span style="color: #82AAFF;"> fetch_virtual_alloc</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">:</span><span> PVOID</span><span style="color: #89DDFF;">) -&gt;</span><span style="color: #FFCB6B;"> VirtualAllocFn</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // this is some macro that, using `kernelbase_ptr`, parses kernelbase&#39;s export table to find `VirtualAlloc`</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // and return its address. i.e. kind of a self-made version of `GetProcAddress`</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> resolve_func!</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">, &quot;</span><span style="color: #C3E88D;">VirtualAlloc</span><span style="color: #89DDFF;">&quot;)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">let</span><span style="color: #FFCB6B;"> VirtualAlloc</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_virtual_alloc</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;">let</span><span> baseptr</span><span style="color: #89DDFF;"> = (</span><span style="color: #FFCB6B;">VirtualAlloc</span><span style="color: #89DDFF;">)(</span></span> <span class="giallo-l"><span> preferred_load_addr</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // lpAddress: A pointer to the starting address of the region to allocate.</span></span> <span class="giallo-l"><span> imagesize</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // dwSize: The size of the region, in bytes.</span></span> <span class="giallo-l"><span> MEM_COMMIT</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // flAllocationType: The type of memory allocation.</span></span> <span class="giallo-l"><span> PAGE_READWRITE</span><span style="color: #89DDFF;">,</span><span style="color: #464B5D;font-style: italic;"> // flProtect: The memory protection for the region of pages to be allocated.</span></span> <span class="giallo-l"><span style="color: #89DDFF;">);</span></span></code></pre> <p>As you might have noticed, we're not linking against any libraries and calling those imports directly. Instead we're using indirect calls to functions whose addresses we manually resolved at runtime. All you need for shellcode development that <em>isn't</em> painful is to find <code>kernelbase.dll</code> which can be done using the <code>gs</code> register to grab the PEB:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #F78C6C;">pub fn</span><span style="color: #82AAFF;"> get_module_by_name</span><span style="color: #89DDFF;">(</span><span>module_name</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span style="color: #FFCB6B;"> u16</span><span style="color: #89DDFF;">) -&gt;</span><span style="color: #FFCB6B;"> Option</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">PVOID</span><span style="color: #89DDFF;">&gt; {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> peb</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> PEB</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> asm!</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">mov </span><span style="color: #89DDFF;">{}</span><span style="color: #C3E88D;">, gs:[0x60]</span><span style="color: #89DDFF;">&quot;,</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> out</span><span style="color: #89DDFF;">(</span><span>reg</span><span style="color: #89DDFF;">)</span><span> peb</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> );</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ldr</span><span style="color: #89DDFF;"> = (*</span><span>peb</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Ldr</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> module_list</span><span style="color: #89DDFF;"> = &amp;((*</span><span>ldr</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">InLoadOrderModuleList</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // The first entry of LDR_DATA_TABLE_ENTRY is a LIST_ENTRY, so transmuting this address</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // from LIST_ENTRY to LDR_DATA_TABLE_ENTRY is legal.</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> cur_module</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> LDR_DATA_TABLE_ENTRY</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>module_list</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // The list is doubly-linked, so eventually we will wrap back around to the head.</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> module_list_head</span><span style="color: #89DDFF;"> =</span><span> cur_module</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> loop</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> cur_name</span><span style="color: #89DDFF;"> = (*</span><span>cur_module</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">BaseDllName</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Buffer</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> !</span><span>cur_name</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_null</span><span style="color: #89DDFF;">() &amp;&amp;</span><span style="color: #82AAFF;"> icmp_raw_str_u16</span><span style="color: #89DDFF;">(</span><span>module_name</span><span style="color: #89DDFF;">,</span><span> cur_name</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">((*</span><span>cur_module</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">BaseAddress</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> flink</span><span style="color: #89DDFF;"> = (*</span><span>cur_module</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">InLoadOrderModuleList</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Flink</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> cur_module</span><span style="color: #89DDFF;"> =</span><span> flink</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> LDR_DATA_TABLE_ENTRY</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> cur_module</span><span style="color: #89DDFF;"> ==</span><span> module_list_head</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // We wrapped the whole list and didn&#39;t find a result.</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #FFCB6B;"> None</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>Then <a rel="external" href="https://github.com/exploits-forsale/solstice/blob/6c47b5a0cd155d629845412974e7580fa9dff840/crates/shellcode_utils/src/lib.rs#L121-L161">parse the PE's export table</a> to find <code>GetModuleHandleA()</code>, and <code>GetProcAddress()</code>. </div> </details> <h2 id="the-easy-parts"><a class="zola-anchor" href="#the-easy-parts" aria-label="Anchor link for: the-easy-parts" >#</a > The Easy Parts</h2> <p><a rel="external" href="https://github.com/BenjaminSoelberg/ReflectivePELoader?tab=readme-ov-file">Although it's been talked about before</a>, I'll give a brief overview of how a basic loader works:</p> <ol> <li> <p>Parse the PE headers and <code>VirtualAlloc()</code> some memory for the "cloned" PE with all the fixups applied. You'll try to <code>VirtualAlloc()</code> at the PE's preferred load address, but if you don't get it fall back to a random address. This is your <em>load address</em>. From here you calculate the delta between the preferred and actual load address and this will be used for fixing relocations. (Note: copying the PE just to change its fields isn't strictly necessary but simplifies some things)</p> </li> <li> <p><a rel="external" href="https://github.com/exploits-forsale/solstice/blob/6c47b5a0cd155d629845412974e7580fa9dff840/crates/solstice_loader/src/pelib.rs#L211-L254">Iterate each PE section and copy it over to the newly <code>VirtualAlloc</code>'d region</a>. The virtual addresses here are <em>relative</em> virtual addresses, so you just take each section's VirtualAddress, add it to the load address, and copy the section from its old location to the new address.</p> </li> <li> <p><a rel="external" href="https://github.com/exploits-forsale/solstice/blob/6c47b5a0cd155d629845412974e7580fa9dff840/crates/solstice_loader/src/pelib.rs#L256-L321">Fix section permissions</a>. For each section, look at its <code>Characteristics</code> field and determine the correct permissions. <code>VirtualProtect()</code> the section according to the permissions.</p> </li> <li> <p><a rel="external" href="https://github.com/exploits-forsale/solstice/blob/6c47b5a0cd155d629845412974e7580fa9dff840/crates/solstice_loader/src/pelib.rs#L425-L545">Fix imports</a>. For each import in the import table (<code>IMAGE_DIRECTORY_ENTRY_IMPORT</code>), ensure the imported DLL is loaded. Then use the loaded DLL's handle with <code>GetProcAddress()</code> to get the address of the function being imported. For each import in the table, write the real address in the import's thunk. Instead of <code>GetProcAddress()</code> could also parse the module's exports and match things up, but I took the lazy way.</p> </li> <li> <p><a rel="external" href="https://github.com/exploits-forsale/solstice/blob/6c47b5a0cd155d629845412974e7580fa9dff840/crates/solstice_loader/src/pelib.rs#L323-L398">Fix relocations</a>. This basically involves walking the <code>IMAGE_DIRECTORY_ENTRY_BASERELOC</code> directory and fixing each <code>IMAGE_BASE_RELOCATION</code> such that you add the delta calculated in step 1 to the relocation's <code>VirtualAddress</code> field. There's some nuance here where you need to only modify certain bits, etc. etc. but this is the basic idea.</p> </li> <li> <p><a rel="external" href="https://github.com/exploits-forsale/solstice/blob/main/crates/solstice_loader/src/lib.rs#L343-L347">Call the module's entrypoints</a>.</p> </li> </ol> <p>I learned through this experience that PEs can have multiple thread-local storage callbacks called before the actual module entrypoint. Calling these is fairly straightforward:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #C792EA;">let</span><span> tls_directory</span><span style="color: #89DDFF;"> =</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &amp;</span><span>ntheader_ref</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">OptionalHeader</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">DataDirectory</span><span style="color: #89DDFF;">[</span><span>IMAGE_DIRECTORY_ENTRY_TLS</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Grab the TLS data from the PE we&#39;re loading</span></span> <span class="giallo-l"><span style="color: #C792EA;">let</span><span> tls_data_addr</span><span style="color: #89DDFF;"> =</span></span> <span class="giallo-l"><span> baseptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(</span><span>tls_directory</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">VirtualAddress</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> isize</span><span style="color: #89DDFF;">)</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> IMAGE_TLS_DIRECTORY64</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">let</span><span> tls_data</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span> IMAGE_TLS_DIRECTORY64</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> {</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>tls_data_addr</span><span style="color: #89DDFF;">) };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">let mut</span><span> callbacks_addr</span><span style="color: #89DDFF;"> =</span><span> tls_data</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">AddressOfCallBacks</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">if</span><span style="color: #89DDFF;"> !</span><span>callbacks_addr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_null</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> callback</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> { *</span><span>callbacks_addr</span><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> !</span><span>callback</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_null</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> execute_tls_callback</span><span style="color: #89DDFF;">(</span><span>baseptr</span><span style="color: #89DDFF;">,</span><span> callback</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> callbacks_addr</span><span style="color: #89DDFF;"> =</span><span> callbacks_addr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">add</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> callback</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> { *</span><span>callbacks_addr</span><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F78C6C;">unsafe fn</span><span style="color: #82AAFF;"> execute_tls_callback</span><span style="color: #89DDFF;">(</span><span>baseptr</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span><span> entrypoint</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> func</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> ImageTlsCallbackFn</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>entrypoint</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> func</span><span style="color: #89DDFF;">(</span><span>baseptr</span><span style="color: #89DDFF;">,</span><span> DLL_THREAD_ATTACH</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> ptr</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">null_mut</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>Executing the image entrypoint is pretty similar:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #C792EA;">let</span><span> entrypoint</span><span style="color: #89DDFF;"> = (</span><span>baseptr</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> usize</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (*(</span><span>ntheader</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> IMAGE_NT_HEADERS64</span><span style="color: #89DDFF;">))</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #FFCB6B;">OptionalHeader</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #FFCB6B;">AddressOfEntryPoint</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">)</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Create a new thread to execute the image</span></span> <span class="giallo-l"><span style="color: #82AAFF;">execute_image</span><span style="color: #89DDFF;">(</span><span>baseptr</span><span style="color: #89DDFF;">,</span><span> entrypoint</span><span style="color: #89DDFF;">,</span><span> context</span><span style="color: #89DDFF;">.</span><span>fns</span><span style="color: #89DDFF;">.</span><span>create_thread_fn</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F78C6C;">unsafe fn</span><span style="color: #82AAFF;"> execute_image</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> dll_base</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> entrypoint</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> create_thread_fn</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> CreateThreadFn</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> func</span><span style="color: #89DDFF;">:</span><span style="color: #C792EA;"> extern</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">system</span><span style="color: #89DDFF;">&quot;</span><span style="color: #82AAFF;"> fn</span><span style="color: #89DDFF;">(*</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">, *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">) -&gt;</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;"> =</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>entrypoint</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> func</span><span style="color: #89DDFF;">(</span><span>dll_base</span><span style="color: #89DDFF;">,</span><span> DLL_PROCESS_ATTACH</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> ptr</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">null</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h2 id="the-hard-parts"><a class="zola-anchor" href="#the-hard-parts" aria-label="Anchor link for: the-hard-parts" >#</a > The Hard Parts</h2> <p>There were some parts that really kicked my ass in figuring out, but in my opinion were very important for what I wanted in the PE loader.</p> <ol> <li> <p>The exploit / PE loader must not cause the hijacked application to become unreliable. I don't want to be debugging crashes in some of the existing threads that broke simply because we're hijacking the address space.</p> </li> <li> <p>We must be able to run complex applications. Since we're using this technique to bypass code integrity, this will be our main method of running arbitrary applications.</p> </li> <li> <p>The application shouldn't <em>know</em> it's been reflectively loaded, or care.</p> </li> </ol> <h3 id="thread-local-storage"><a class="zola-anchor" href="#thread-local-storage" aria-label="Anchor link for: thread-local-storage" >#</a > Thread-Local Storage</h3> <p>Related to #2, the absolute biggest challenge I faced was with applications that use thread-local storage (TLS). Having done all of my development in Rust, my test program that I was loading was also written in Rust.</p> <p>I kept crashing on <code>int 29</code> instructions (<code>RtlFailFast(code)</code>) shortly after executing the module's entrypoint. This was <strong>extremely</strong> painful to debug but eventually I figured out that I was failing after fetching data from TLS</p> <p><a href="/img/pe-loader/tls-thread-set-current.png"><img src="/img/pe-loader/tls-thread-set-current.png" alt="Screenshot of assembly instructions from a Rust &quot;hello world&quot; application loading data from TLS in IDA pro" /></a></p> <p><a href="/img/pe-loader/int-29.png"><img src="/img/pe-loader/int-29.png" alt="Screenshot of assembly instructions from a Rust &quot;hello world&quot; application executing an int 29 instruction in IDA pro" /></a></p> <p>I was kind of confused because I didn't expect my application to use TLS, but apparently even the most basic "hello world" Rust program uses TLS:</p> <p><a href="/img/pe-loader/pe-bear-tls.png"><img src="/img/pe-loader/pe-bear-tls.png" alt="Screenshot of a Rust &quot;hello world&quot; application loaded into the &quot;PE Bear&quot; program, showing its TLS directory" /></a></p> <p>It turns out that this is related to Rust's thread initialization code that sets some thread-locals for the current thread and thread ID: <a rel="external" href="https://github.com/rust-lang/rust/blob/2e630267b2bce50af3258ce4817e377fa09c145b/library/std/src/thread/mod.rs#L694">https://github.com/rust-lang/rust/blob/2e630267b2bce50af3258ce4817e377fa09c145b/library/std/src/thread/mod.rs#L694</a></p> <p>So I came to realize that my original idea for how I was handling TLS data was completely flawed. Originally I was <em>allocating</em> new memory for my module's TLS, but didn't even realize it had some default state associated with it that I had to copy over. Simple fix right?</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>diff --git a/crates/loader/src/lib.rs b/crates/loader/src/lib.rs</span></span> <span class="giallo-l"><span>index 97311d0..d66773d 100755</span></span> <span class="giallo-l"><span>--- a/crates/loader/src/lib.rs</span></span> <span class="giallo-l"><span>+++ b/crates/loader/src/lib.rs</span></span> <span class="giallo-l"><span>@@ -180,34 +185,53 @@ unsafe fn reflective_loader_impl(context: LoaderContext) {</span></span> <span class="giallo-l"><span> .OptionalHeader</span></span> <span class="giallo-l"><span> .AddressOfEntryPoint as usize) as *const c_void;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>- let tls_directory = &amp;ntheader_ref.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS];</span></span> <span class="giallo-l"><span>+ let tls_directory =</span></span> <span class="giallo-l"><span>+ &amp;ntheader_ref.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS as usize];</span></span> <span class="giallo-l"><span>+</span></span> <span class="giallo-l"><span>+ // Grab the TLS data from the PE we&#39;re loading</span></span> <span class="giallo-l"><span>+ let tls_data_addr =</span></span> <span class="giallo-l"><span>+ baseptr.offset(tls_directory.VirtualAddress as isize) as *mut IMAGE_TLS_DIRECTORY64;</span></span> <span class="giallo-l"><span>+</span></span> <span class="giallo-l"><span>+ // TODO: Patch the module list</span></span> <span class="giallo-l"><span>+ let tls_index = patch_module_list(</span></span> <span class="giallo-l"><span>+ context.image_name,</span></span> <span class="giallo-l"><span>+ baseptr,</span></span> <span class="giallo-l"><span>+ imagesize,</span></span> <span class="giallo-l"><span>+ context.fns.get_module_handle_fn,</span></span> <span class="giallo-l"><span>+ tls_data_addr,</span></span> <span class="giallo-l"><span>+ context.fns.virtual_protect,</span></span> <span class="giallo-l"><span>+ entrypoint,</span></span> <span class="giallo-l"><span>+ );</span></span> <span class="giallo-l"><span>+</span></span> <span class="giallo-l"><span> if tls_directory.Size &gt; 0 {</span></span> <span class="giallo-l"><span> // Grab the TLS data from the PE we&#39;re loading</span></span> <span class="giallo-l"><span> let tls_data_addr =</span></span> <span class="giallo-l"><span> baseptr.offset(tls_directory.VirtualAddress as isize) as *mut IMAGE_TLS_DIRECTORY64;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>- let tls_data: &amp;IMAGE_TLS_DIRECTORY64 = unsafe { core::mem::transmute(tls_data_addr) };</span></span> <span class="giallo-l"><span>+ let tls_data: &amp;mut IMAGE_TLS_DIRECTORY64 = unsafe { core::mem::transmute(tls_data_addr) };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> // Grab the TLS start from the TEB</span></span> <span class="giallo-l"><span> let tls_start: *mut *mut c_void;</span></span> <span class="giallo-l"><span> unsafe { core::arch::asm!(&quot;mov {}, gs:[0x58]&quot;, out(reg) tls_start) }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>- let tls_index = unsafe { *(tls_data.AddressOfIndex as *const u32) };</span></span> <span class="giallo-l"><span>-</span></span> <span class="giallo-l"><span> let tls_slot = tls_start.offset(tls_index as isize);</span></span> <span class="giallo-l"><span> let raw_data_size = tls_data.EndAddressOfRawData - tls_data.StartAddressOfRawData;</span></span> <span class="giallo-l"><span>- *tls_slot = (context.fns.virtual_alloc)(</span></span> <span class="giallo-l"><span>+ let tls_data_addr = (context.fns.virtual_alloc)(</span></span> <span class="giallo-l"><span> ptr::null(),</span></span> <span class="giallo-l"><span>- raw_data_size as usize,</span></span> <span class="giallo-l"><span>+ raw_data_size as usize, // + tls_data.SizeOfZeroFill as usize,</span></span> <span class="giallo-l"><span> MEM_COMMIT,</span></span> <span class="giallo-l"><span> PAGE_READWRITE,</span></span> <span class="giallo-l"><span> );</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>- // if !tls_start.is_null() {</span></span> <span class="giallo-l"><span>- // // Zero out this memory</span></span> <span class="giallo-l"><span>- // let tls_slots: &amp;mut [u64] = unsafe { core::slice::from_raw_parts_mut(tls_start, 64) };</span></span> <span class="giallo-l"><span>- // tls_slots.iter_mut().for_each(|slot| *slot = 0);</span></span> <span class="giallo-l"><span>- // }</span></span> <span class="giallo-l"><span>+ core::ptr::copy_nonoverlapping(</span></span> <span class="giallo-l"><span>+ tls_data.StartAddressOfRawData as *const _,</span></span> <span class="giallo-l"><span>+ tls_data_addr,</span></span> <span class="giallo-l"><span>+ raw_data_size as usize,</span></span> <span class="giallo-l"><span>+ );</span></span> <span class="giallo-l"><span>+</span></span> <span class="giallo-l"><span>+ // Update the TLS index</span></span> <span class="giallo-l"><span>+ core::ptr::write(tls_data.AddressOfIndex as *mut u32, tls_index);</span></span> <span class="giallo-l"><span>+ *tls_slot = tls_data_addr;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> let mut callbacks_addr = tls_data.AddressOfCallBacks as *const *const c_void;</span></span> <span class="giallo-l"><span> if !callbacks_addr.is_null() {</span></span></code></pre> <p>This code worked, but not for long. I obviously had no idea how TLS worked, and soon discovered that in a multi-threaded application I was <em>again</em> getting similar crashes because the TLS data was bad. Through much pain and debugging I ended up learning:</p> <ul> <li> <p>Changing the TLS for your current thread is obviously not enough. New threads that spawn won't have the modifications I did above, so they'll have "default" TLS without my module included since the changes I did above are only reflected for the current thread. Duh.</p> </li> <li> <p>TLS is allocated in slots for the current thread and each slot is a pointer to the TLS data.</p> </li> <li> <p>Windows keeps a cache of TLS directories for each loaded module, which means you can't just pave over the hijacked module's TLS data with your new TLS data and things will "just work". You'll have to update the cache.</p> </li> </ul> <h3 id="fixing-tls-data"><a class="zola-anchor" href="#fixing-tls-data" aria-label="Anchor link for: fixing-tls-data" >#</a > Fixing TLS Data</h3> <p>In the above section I mentioned that Windows keeps a cache of TLS directories for each loaded module, and I think this is a critical reason why the reflective PE loaders I sampled didn't bother with TLS data (<a rel="external" href="https://github.com/DarthTon/Blackbone/blob/5ede6ce50cd8ad34178bfa6cae05768ff6b3859b/src/BlackBone/ManualMap/Native/NtLoader.cpp#L153">only one loader sampled seemed to support TLS data</a>).</p> <p>I really only discovered this by painfully debugging and figuring out the application only crashed when spawning new threads, that the crashes were relating to data in TLS, and figuring that something must be wrong with the TLS data.</p> <p>It finally clicked when I noticed that the <code>ThreadLocalStoragePointer</code> for the crashing thread's TEB didn't match the spawning thread's...</p> <p><a href="/img/pe-loader/teb-command.png"><img src="/img/pe-loader/teb-command.png" alt="!teb command in WinDbg" /></a></p> <p><a href="/img/pe-loader/thread-local-storage.png"><img src="/img/pe-loader/thread-local-storage.png" alt="Clicking the TEB pointer in WinDbg&#39;s !teb output" /></a></p> <p>This is super obvious in hindsight! Each thread's TLS has to be unique, but I don't know... I thought the <code>ThreadLocalStoragePointer</code> was a pointer to the <em>default state</em> TLS and the per-thread slots were in the TEB's <code>TlsSlots</code> field?</p> <p>Anyways, I set a breakpoint at the thread initialization routine, <code>LdrpInitializeThread</code>, and debugged it to see if there was anything that stood out for TLS initialization. Like magic, I eventually stepped into <code>LdrpAllocateTls</code>:</p> <p><a href="/img/pe-loader/LdrpAllocateTls.png"><img src="/img/pe-loader/LdrpAllocateTls.png" alt="WinDbg stack for a new user thread showing the call into LdrpAllocateTls" /></a></p> <p>The <a rel="external" href="https://github.com/mirror/reactos/blob/c6d2b35ffc91e09f50dfb214ea58237509329d6b/reactos/dll/ntdll/ldr/ldrinit.c#L1215-L1273">ReactOS source code</a> was of huge help here in figuring out what was going on, but essentially what happens when spawning a new thread is:</p> <ol> <li>If any of the currently loaded modules has TLS, allocate a <code>ThreadLocalStoragePointer</code>.</li> <li>The size of this memory block is <code>sizeof(void*) * NUM_MODULES_WITH_TLS_DATA</code>.</li> <li>Iterate some <code>TlsLinks</code> list. This is a list of <code>LDRP_TLS_DATA</code>:</li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #F78C6C;">typedef</span><span style="color: #C792EA;"> struct</span><span> _LDRP_TLS_DATA</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #F07178;"> LIST_ENTRY TlsLinks</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> IMAGE_TLS_DIRECTORY TlsDirectory</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span><span> LDRP_TLS_DATA</span><span style="color: #89DDFF;">, *</span><span>PLDRP_TLS_DATA</span><span style="color: #89DDFF;">;</span></span></code></pre> <ol start="4"> <li>Calculate the size of the TLS data based on the <code>TlsDirectory</code>, and copy its contents.</li> <li>Put the pointer to the memory allocated in step 4 in the appropriate slot, recorded as <code>TlsData-&gt;TlsDirectory.Characteristics</code>.</li> </ol> <p>Now that I know the TLS data is cached, can't I just overwrite the <code>TlsDirectory</code> data in this list from the host module with the data from the new module? Well yes... and no. The <code>LDRP_TLS_DATA</code> is heap-allocated, so I'd have to scan the heap which would be pretty bug-prone.</p> <h4 id="janky-approach-to-fixing-tls-data"><a class="zola-anchor" href="#janky-approach-to-fixing-tls-data" aria-label="Anchor link for: janky-approach-to-fixing-tls-data" >#</a > Janky Approach to Fixing TLS Data</h4> <p><strong>tl;dr</strong>: use a private <code>ntdll</code> function that returns the cached <code>TLS_ENTRY</code> from a <code>LDR_DATA_TABLE_ENTRY*</code> to find the hijacked module's TLS data. Once found, overwrite the cached <code>IMAGE_TLS_DIRECTORY</code> with the new module's.</p> <p>This has a big problem: if the program you're loading requires TLS, you must inject into a program with TLS. Otherwise you'll be replacing a random DLL's TLS data if you aren't careful.</p> <details class="collapse-section my-4"> <summary>List Patching Details</summary> <div class="collapse-content"> I popped <code>ntdll.dll</code> into IDA to see what functions were using this <code>LdrpTlsList</code> to see if maybe there was some other way I could grab the list's address.</p> <p><a href="/img/pe-loader/LdrpFindTlsEntry.png"><img src="/img/pe-loader/LdrpFindTlsEntry.png" alt="IDA Pro window showing functions using LdrpTlsList" /></a></p> <p>I found that in Windows (but not ReactOS) is a function, "<code>LdrpFindTlsList</code>", which will return a <code>PTLS_ENTRY</code> (the actual name of the Windows data structure for ReactOS's <code>LDRP_TLS_DATA</code>) given a <code>PLDR_DATA_TABLE_ENTRY</code>. <a rel="external" href="http://www.nynaeve.net/Code/VistaImplicitTls.cpp">Ken Johnson even conviently provided the source code on his blog</a>.</p> <p>The <code>PLDR_DATA_TABLE_ENTRY</code> can be found in the PEB which you can explore using the <code>!peb</code> command in WinDbg.</p> <p>The complete code:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// Returns the Thread Environment Block (TEB)</span></span> <span class="giallo-l"><span style="color: #F78C6C;">pub fn</span><span style="color: #82AAFF;"> teb</span><span style="color: #89DDFF;">() -&gt; *</span><span style="color: #C792EA;">mut</span><span> TEB</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> teb</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> TEB</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> {</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">arch</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">asm!</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">mov </span><span style="color: #89DDFF;">{}</span><span style="color: #C3E88D;">, gs:[0x30]</span><span style="color: #89DDFF;">&quot;,</span><span style="color: #82AAFF;"> out</span><span style="color: #89DDFF;">(</span><span>reg</span><span style="color: #89DDFF;">)</span><span> teb</span><span style="color: #89DDFF;">) }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> teb</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F78C6C;">pub unsafe fn</span><span style="color: #82AAFF;"> patch_module_list</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> image_name</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Option</span><span style="color: #89DDFF;">&lt;&amp;[</span><span style="color: #FFCB6B;">u16</span><span style="color: #89DDFF;">]&gt;,</span></span> <span class="giallo-l"><span> new_base_address</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> module_size</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> get_module_handle_fn</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> GetModuleHandleAFn</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> this_tls_data</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> IMAGE_TLS_DIRECTORY64</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> virtual_protect</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> VirtualProtectFn</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> entrypoint</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">) -&gt;</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> current_module</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_module_handle_fn</span><span style="color: #89DDFF;">(</span><span style="color: #FFCB6B;">core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">ptr</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">null</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> teb</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> teb</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> peb</span><span style="color: #89DDFF;"> = (*</span><span>teb</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">ProcessEnvironmentBlock</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ldr_data</span><span style="color: #89DDFF;"> = (*</span><span>peb</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Ldr</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> module_list_head</span><span style="color: #89DDFF;"> = &amp;</span><span style="color: #C792EA;">mut</span><span style="color: #89DDFF;"> (*</span><span>ldr_data</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">InMemoryOrderModuleList</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> LIST_ENTRY</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> next</span><span style="color: #89DDFF;"> = (*</span><span>module_list_head</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Flink</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span> next</span><span style="color: #89DDFF;"> !=</span><span> module_list_head</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // -1 because this is the second field in the LDR_DATA_TABLE_ENTRY struct.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // the first one is also a LIST_ENTRY</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> module_info</span><span style="color: #89DDFF;"> = (</span><span>next</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">))</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> LDR_DATA_TABLE_ENTRY</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">DllBase</span><span style="color: #89DDFF;"> ==</span><span> current_module</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">DllBase</span><span style="color: #89DDFF;"> =</span><span> new_base_address</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // EntryPoint</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Reserved3</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] =</span><span> entrypoint</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // SizeOfImage</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Reserved3</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] =</span><span> module_size</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> !</span><span>this_tls_data</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_null</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntdll_addr</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_module_handle_fn</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">ntdll.dll</span><span>\0</span><span style="color: #89DDFF;">&quot;.</span><span style="color: #82AAFF;">as_ptr</span><span style="color: #89DDFF;">()</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> _</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">(</span><span>ntdll_text</span><span style="color: #89DDFF;">) =</span><span style="color: #82AAFF;"> get_module_section</span><span style="color: #89DDFF;">(</span><span>ntdll_addr</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> _</span><span style="color: #89DDFF;">,</span><span style="color: #C3E88D;"> b</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">.text</span><span style="color: #89DDFF;">&quot;) {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span> window</span><span style="color: #F78C6C;"> in</span><span> ntdll_text</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">windows</span><span style="color: #89DDFF;">(</span><span>LDRP_FIND_TLS_ENTRY_SIGNATURE_BYTES</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">len</span><span style="color: #89DDFF;">()) {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> window</span><span style="color: #89DDFF;"> ==</span><span> LDRP_FIND_TLS_ENTRY_SIGNATURE_BYTES</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Get this window&#39;s pointer and move backwards to find the start of the fn</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> ptr</span><span style="color: #89DDFF;"> =</span><span> window</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">as_ptr</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> loop</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> behind</span><span style="color: #89DDFF;"> =</span><span> ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> *</span><span>behind</span><span style="color: #89DDFF;"> ==</span><span style="color: #F78C6C;"> 0xcc</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span> ptr</span><span style="color: #89DDFF;"> =</span><span> ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> LdrpFindTlsEntry</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> LdrpFindTlSEntryFn</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> list_entry</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> LdrpFindTlsEntry</span><span style="color: #89DDFF;">(</span><span>module_info</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>list_entry</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">TlsDirectory</span><span style="color: #89DDFF;"> = *</span><span>this_tls_data</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span> next</span><span style="color: #89DDFF;"> = (*</span><span>next</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Flink</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // This stuff here is mostly unnecessary, but I did it anyways as a &quot;just in case&quot;.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // The idea is to overwrite the `IMAGE_TLS_DIRECTORY` of the hijacked module</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // to point at the new module&#39;s.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // And to get the hijacked module&#39;s TLS index since that&#39;s the slot we&#39;ll be</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // hijacking for our new module.</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> !</span><span>this_tls_data</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_null</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> dosheader</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_dos_header</span><span style="color: #89DDFF;">(</span><span>current_module</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntheader</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_nt_header</span><span style="color: #89DDFF;">(</span><span>current_module</span><span style="color: #89DDFF;">,</span><span> dosheader</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> #[</span><span>cfg</span><span style="color: #89DDFF;">(</span><span>target_arch </span><span style="color: #89DDFF;">= &quot;</span><span style="color: #C3E88D;">x86_64</span><span style="color: #89DDFF;">&quot;)]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntheader_ref</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span> IMAGE_NT_HEADERS64</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> {</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>ntheader</span><span style="color: #89DDFF;">) };</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> #[</span><span>cfg</span><span style="color: #89DDFF;">(</span><span>target_arch </span><span style="color: #89DDFF;">= &quot;</span><span style="color: #C3E88D;">x86</span><span style="color: #89DDFF;">&quot;)]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntheader_ref</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span> IMAGE_NT_HEADERS32</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> {</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>ntheader</span><span style="color: #89DDFF;">) };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> real_module_tls_entry</span><span style="color: #89DDFF;"> =</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &amp;</span><span style="color: #C792EA;">mut</span><span> ntheader_ref</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">OptionalHeader</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">DataDirectory</span><span style="color: #89DDFF;">[</span><span>IMAGE_DIRECTORY_ENTRY_TLS</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> real_module_tls_dir</span><span style="color: #89DDFF;"> =</span><span> current_module</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(</span><span>real_module_tls_entry</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">VirtualAddress</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> isize</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> IMAGE_TLS_DIRECTORY64</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> old_perms</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> virtual_protect</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> real_module_tls_dir</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> _</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> _</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">size_of</span><span style="color: #89DDFF;">::&lt;</span><span>IMAGE_TLS_DIRECTORY64</span><span style="color: #89DDFF;">&gt;(),</span></span> <span class="giallo-l"><span> PAGE_READWRITE</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &amp;</span><span style="color: #C792EA;">mut</span><span> old_perms</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> );</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> idx</span><span style="color: #89DDFF;"> = *((*</span><span>real_module_tls_dir</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">AddressOfIndex</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span>real_module_tls_dir</span><span style="color: #89DDFF;"> = *</span><span>this_tls_data</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> idx</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> </div> </details> <h4 id="the-good-method"><a class="zola-anchor" href="#the-good-method" aria-label="Anchor link for: the-good-method" >#</a > The Good Method</h4> <p>Remember how I said <a rel="external" href="https://github.com/DarthTon/Blackbone/blob/5ede6ce50cd8ad34178bfa6cae05768ff6b3859b/src/BlackBone/ManualMap/Native/NtLoader.cpp#L153">only one loader sampled seemed to support TLS data</a>? This happens to be the same approach they took.</p> <p>Building on the above list patching method, I saw a different function called <code>LdrpAllocateTlsEntry</code> referenced the <code>LdrpTlsList</code> cache and is called by <code>LdrpHandleTlsData</code>. The latter function is called when a new module is loaded and is responsible for setting up almost all of the state relating to a module's TLS.</p> <p>It has no sanity checks on whether or not the module's TLS data has already been handled. Which is awesome, and actually makes sense! Why sanity check if this function is only ever called once during real loader scenarios?</p> <p>We can abuse this by performing the following operations:</p> <ol> <li>Update the hijacked module's <code>LDR_DATA_TABLE_ENTRY</code> (found via the PEB) to point to our new module's base address.</li> <li>Release the hijacked module's TLS data (<code>LdrpReleaseTlsEntry</code>)</li> <li>Call <code>LdrpHandleTlsData</code> with the hijacked module to force the new TLS data to be loaded.</li> </ol> <p>This also solves all of the problems we had with both prior methods!</p> <ul> <li>We can inject into any process and not just processes that have TLS data</li> <li>According to the <a rel="external" href="http://www.nynaeve.net/Code/VistaImplicitTls.cpp">Ken Johnson code</a> this function updates the TLS info in the PEB (or maybe some kernel data?)</li> <li>And according to the Ken Johnson code updates other threads</li> <li>Is less code than <em>both</em> other solutions</li> <li>Doesn't require me to manually update the new module's TLS index</li> </ul> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #C792EA;">const</span><span> LDRP_RELEASE_TLS_ENTRY_SIGNATURE_BYTES</span><span style="color: #89DDFF;">: [</span><span style="color: #FFCB6B;">u8</span><span style="color: #89DDFF;">;</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">] = [</span><span style="color: #F78C6C;">0x83</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0xE1</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x07</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x48</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0xC1</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0xEA</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x03</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">const</span><span> LDRP_HANDLE_TLS_DATA_SIGNATURE_BYTES</span><span style="color: #89DDFF;">: [</span><span style="color: #FFCB6B;">u8</span><span style="color: #89DDFF;">;</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;">] =</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> [</span><span style="color: #F78C6C;">0xBA</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x23</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x00</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x00</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x00</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x48</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x83</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0xC9</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0xFF</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Function signature/type alias for LdrpReleaseTlsEntry</span></span> <span class="giallo-l"><span style="color: #C792EA;">type</span><span style="color: #FFCB6B;"> LdrpReleaseTlsEntryFn</span><span style="color: #89DDFF;"> =</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> unsafe</span><span style="color: #C792EA;"> extern</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">system</span><span style="color: #89DDFF;">&quot;</span><span style="color: #82AAFF;"> fn</span><span style="color: #89DDFF;">(</span><span>entry</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> LDR_DATA_TABLE_ENTRY</span><span style="color: #89DDFF;">,</span><span> unk</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">) -&gt;</span><span> NTSTATUS</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Function signature/type alias for LdrpHandleTlsData</span></span> <span class="giallo-l"><span style="color: #C792EA;">type</span><span style="color: #FFCB6B;"> LdrpHandleTlsDataFn</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> unsafe</span><span style="color: #C792EA;"> extern</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">system</span><span style="color: #89DDFF;">&quot;</span><span style="color: #82AAFF;"> fn</span><span style="color: #89DDFF;">(</span><span>entry</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> LDR_DATA_TABLE_ENTRY</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// Returns the Thread Environment Block (TEB)</span></span> <span class="giallo-l"><span style="color: #F78C6C;">pub fn</span><span style="color: #82AAFF;"> teb</span><span style="color: #89DDFF;">() -&gt; *</span><span style="color: #C792EA;">mut</span><span> TEB</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> teb</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> TEB</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> unsafe</span><span style="color: #89DDFF;"> {</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">arch</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">asm!</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">mov </span><span style="color: #89DDFF;">{}</span><span style="color: #C3E88D;">, gs:[0x30]</span><span style="color: #89DDFF;">&quot;,</span><span style="color: #82AAFF;"> out</span><span style="color: #89DDFF;">(</span><span>reg</span><span style="color: #89DDFF;">)</span><span> teb</span><span style="color: #89DDFF;">) }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> teb</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// Patches the module list to change the hijacked module&#39;s DLL base and entrypoint.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">///</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// TODO: Patch image name.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">///</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// This is useful to ensure that a program that depends on `GetModuleHandle*`</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// doesn&#39;t fail simply because its module is not found</span></span> <span class="giallo-l"><span style="color: #F78C6C;">pub unsafe fn</span><span style="color: #82AAFF;"> patch_ldr_data</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> new_base_address</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> module_size</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> get_module_handle_fn</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> GetModuleHandleAFn</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> this_tls_data</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> IMAGE_TLS_DIRECTORY64</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> entrypoint</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">const</span><span> c_void</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> current_module</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_module_handle_fn</span><span style="color: #89DDFF;">(</span><span style="color: #FFCB6B;">core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">ptr</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">null</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> teb</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> teb</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> peb</span><span style="color: #89DDFF;"> = (*</span><span>teb</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">ProcessEnvironmentBlock</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ldr_data</span><span style="color: #89DDFF;"> = (*</span><span>peb</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Ldr</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> module_list_head</span><span style="color: #89DDFF;"> = &amp;</span><span style="color: #C792EA;">mut</span><span style="color: #89DDFF;"> (*</span><span>ldr_data</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">InMemoryOrderModuleList</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> LIST_ENTRY</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> next</span><span style="color: #89DDFF;"> = (*</span><span>module_list_head</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Flink</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span> next</span><span style="color: #89DDFF;"> !=</span><span> module_list_head</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // -1 because this is the second field in the LDR_DATA_TABLE_ENTRY struct.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // the first one is also a LIST_ENTRY</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> module_info</span><span style="color: #89DDFF;"> = (</span><span>next</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">))</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> LDR_DATA_TABLE_ENTRY</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">DllBase</span><span style="color: #89DDFF;"> !=</span><span> current_module</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> next</span><span style="color: #89DDFF;"> = (*</span><span>next</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Flink</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> continue</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">DllBase</span><span style="color: #89DDFF;"> =</span><span> new_base_address</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // EntryPoint</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Reserved3</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] =</span><span> entrypoint</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // SizeOfImage</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*</span><span>module_info</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">Reserved3</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] =</span><span> module_size</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> c_void</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> this_tls_data</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_null</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntdll_addr</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_module_handle_fn</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">ntdll.dll</span><span>\0</span><span style="color: #89DDFF;">&quot;.</span><span style="color: #82AAFF;">as_ptr</span><span style="color: #89DDFF;">()</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span> _</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntdll_text</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_module_section</span><span style="color: #89DDFF;">(</span><span>ntdll_addr</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> _</span><span style="color: #89DDFF;">,</span><span style="color: #C3E88D;"> b</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">.text</span><span style="color: #89DDFF;">&quot;);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> ntdll_text</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_none</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ntdll_text</span><span style="color: #89DDFF;"> =</span><span> ntdll_text</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">unwrap</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Get the TLS entry for the current module and remove it from the list</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">(</span><span>window</span><span style="color: #89DDFF;">) =</span><span> ntdll_text</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">windows</span><span style="color: #89DDFF;">(</span><span>LDRP_RELEASE_TLS_ENTRY_SIGNATURE_BYTES</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">len</span><span style="color: #89DDFF;">())</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">find</span><span style="color: #89DDFF;">(|&amp;</span><span>window</span><span style="color: #89DDFF;">|</span><span> window</span><span style="color: #89DDFF;"> ==</span><span> LDRP_RELEASE_TLS_ENTRY_SIGNATURE_BYTES</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Get this window&#39;s pointer. It will land us in the middle of this function though</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> ptr</span><span style="color: #89DDFF;"> =</span><span> window</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">as_ptr</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Walk backwards until we find the prologue. Pray this function retains padding</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> loop</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> *</span><span>ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">) ==</span><span style="color: #F78C6C;"> 0xcc</span><span style="color: #89DDFF;"> &amp;&amp; *</span><span>ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">) ==</span><span style="color: #F78C6C;"> 0xcc</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span> ptr</span><span style="color: #89DDFF;"> =</span><span> ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> #[</span><span>allow</span><span style="color: #89DDFF;">(</span><span>non_snake_case</span><span style="color: #89DDFF;">)]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> LdrpReleaseTlsEntry</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> LdrpReleaseTlsEntryFn</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> LdrpReleaseTlsEntry</span><span style="color: #89DDFF;">(</span><span>module_info</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">ptr</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">null_mut</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">(</span><span>window</span><span style="color: #89DDFF;">) =</span><span> ntdll_text</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">windows</span><span style="color: #89DDFF;">(</span><span>LDRP_HANDLE_TLS_DATA_SIGNATURE_BYTES</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">len</span><span style="color: #89DDFF;">())</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">find</span><span style="color: #89DDFF;">(|&amp;</span><span>window</span><span style="color: #89DDFF;">|</span><span> window</span><span style="color: #89DDFF;"> ==</span><span> LDRP_HANDLE_TLS_DATA_SIGNATURE_BYTES</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Get this window&#39;s pointer. It will land us in the middle of this function though</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> ptr</span><span style="color: #89DDFF;"> =</span><span> window</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">as_ptr</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Walk backwards until we find the prologue. Pray this function retains padding</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> loop</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> *</span><span>ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">) ==</span><span style="color: #F78C6C;"> 0xcc</span><span style="color: #89DDFF;"> &amp;&amp; *</span><span>ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">) ==</span><span style="color: #F78C6C;"> 0xcc</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span> ptr</span><span style="color: #89DDFF;"> =</span><span> ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> #[</span><span>allow</span><span style="color: #89DDFF;">(</span><span>non_snake_case</span><span style="color: #89DDFF;">)]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> LdrpHandleTlsData</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> LdrpHandleTlsDataFn</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">(</span><span>ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> LdrpHandleTlsData</span><span style="color: #89DDFF;">(</span><span>module_info</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h3 id="patching-command-line-args"><a class="zola-anchor" href="#patching-command-line-args" aria-label="Anchor link for: patching-command-line-args" >#</a > Patching Command-Line Args</h3> <p>This has been done by other PE loaders, but I wanted to call this out as well: while the PEB contains the image name and process arugments, so does <code>kernelbase.dll</code>! Why? For <code>GetCommandLineW</code> and <code>GetCommandLineA</code> of course.</p> <p>This one wasn't <em>too</em> bad to patch so long as you want to rely on the fact that the <code>UNICODE_STRING</code> structure for the PEB and in <code>kernelbase.dll</code> share the same backing buffer (i.e. the latter is a shallow copy of the former). That also doesn't account for the <code>ANSI_STRING</code> variant... but 🤷‍♂️</p> <p>tl;dr of the following code: we scan the global memory of <code>kernelbase.dll</code> looking for the previously mentioned <code>UNICODE_STRING</code> buffer pointer we obtained from the PEB then, once found, update its pointer and length to match our new pointer and length.</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #F78C6C;">pub unsafe fn</span><span style="color: #82AAFF;"> patch_cli_args</span><span style="color: #89DDFF;">(</span><span>args</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Option</span><span style="color: #89DDFF;">&lt;&amp;[</span><span style="color: #FFCB6B;">u16</span><span style="color: #89DDFF;">]&gt;,</span><span> kernelbase_ptr</span><span style="color: #89DDFF;">: *</span><span style="color: #C792EA;">mut</span><span style="color: #FFCB6B;"> u8</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">(</span><span>args</span><span style="color: #89DDFF;">) =</span><span> args</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> peb</span><span style="color: #89DDFF;"> = (*</span><span style="color: #82AAFF;">teb</span><span style="color: #89DDFF;">()).</span><span style="color: #FFCB6B;">ProcessEnvironmentBlock</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // This buffer pointer should match the cached UNICODE_STRING in kernelbase</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> buffer</span><span style="color: #89DDFF;"> = (*(*</span><span>peb</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">ProcessParameters</span><span style="color: #89DDFF;">).</span><span style="color: #FFCB6B;">CommandLine</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Buffer</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Search this pointer in kernel32&#39;s .data section</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">(</span><span>kernelbase_data</span><span style="color: #89DDFF;">) =</span><span style="color: #82AAFF;"> get_module_section</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">,</span><span style="color: #C3E88D;"> b</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">.data</span><span style="color: #89DDFF;">&quot;) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> ptr</span><span style="color: #89DDFF;"> =</span><span> kernelbase_data</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">as_mut_ptr</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> len</span><span style="color: #89DDFF;"> =</span><span> kernelbase_data</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">len</span><span style="color: #89DDFF;">() /</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Do not have two mutable references to the same memory range</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> data_as_wordsize</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">slice</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">from_raw_parts</span><span style="color: #89DDFF;">(</span><span>ptr</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">const</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">,</span><span> len</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Some</span><span style="color: #89DDFF;">(</span><span>found</span><span style="color: #89DDFF;">) =</span><span> data_as_wordsize</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">iter</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> .</span><span style="color: #82AAFF;">position</span><span style="color: #89DDFF;">(|</span><span>ptr</span><span style="color: #89DDFF;">| *</span><span>ptr</span><span style="color: #89DDFF;"> ==</span><span> buffer</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // We originally found this while scanning usize-sized data, so we have to translate</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // this to a byte index</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> found_buffer_byte_pos</span><span style="color: #89DDFF;"> =</span><span> found</span><span style="color: #89DDFF;"> *</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">size_of</span><span style="color: #89DDFF;">::&lt;</span><span style="color: #FFCB6B;">usize</span><span style="color: #89DDFF;">&gt;();</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Get the start of the unicode string</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> unicode_str_start</span><span style="color: #89DDFF;"> =</span></span> <span class="giallo-l"><span> found_buffer_byte_pos</span><span style="color: #89DDFF;"> -</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">offset_of!</span><span style="color: #89DDFF;">(</span><span>UNICODE_STRING</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> Buffer</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> unicode_str</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">transmute</span><span style="color: #89DDFF;">::&lt;</span><span>_</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #C792EA;">mut</span><span> UNICODE_STRING</span><span style="color: #89DDFF;">&gt;(</span></span> <span class="giallo-l"><span> ptr</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">offset</span><span style="color: #89DDFF;">(</span><span>unicode_str_start</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> isize</span><span style="color: #89DDFF;">),</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> );</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> args_byte_len</span><span style="color: #89DDFF;"> =</span><span> args</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">len</span><span style="color: #89DDFF;">() *</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">size_of</span><span style="color: #89DDFF;">::&lt;</span><span style="color: #FFCB6B;">u16</span><span style="color: #89DDFF;">&gt;();</span></span> <span class="giallo-l"><span> unicode_str</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Buffer</span><span style="color: #89DDFF;"> =</span><span> args</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">as_ptr</span><span style="color: #89DDFF;">()</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> _</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> unicode_str</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">Length</span><span style="color: #89DDFF;"> =</span><span> args_byte_len</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> u16</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> unicode_str</span><span style="color: #89DDFF;">.</span><span style="color: #FFCB6B;">MaximumLength</span><span style="color: #89DDFF;"> =</span><span> args_byte_len</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> u16</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h3 id="preventing-hijacked-application-crashes"><a class="zola-anchor" href="#preventing-hijacked-application-crashes" aria-label="Anchor link for: preventing-hijacked-application-crashes" >#</a > Preventing Hijacked Application Crashes</h3> <p>I thought a great idea to prevent the hijacked application from crashing by suspending all of its threads. I was surprised to learn that not only was this fairly easy to do on Windows, it was <em>even</em> easier to accidentally do this from a non-admin session for all other Medium-IL processes!</p> <p><a href="/img/pe-loader/thread_suspension.png"><img src="/img/pe-loader/thread_suspension.png" alt="Tweet by @landaire with text, &quot;it has been 0 minutes since I last accidentally suspended all medium-IL threads on my system&quot;" /></a></p> <p><em>Yeah, don't call <code>CreateToolhelp32Snapshot()</code> incorrectly</em>.</p> <p>The Windows examples were fairly straightforward but on Xbox the code crashed. And that's because the <code>kernel32_ptr</code> here actually needs to be a pointer to <code>kernel32legacy.dll</code> since on Xbox <code>kernel32.dll</code> doesn't exist.</p> <p>That took me a while to figure out and hunt down and double-check where the functions got relocated to.</p> <p>Here is the code I eventually came up with:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #F78C6C;">pub unsafe fn</span><span style="color: #82AAFF;"> suspend_threads</span><span style="color: #89DDFF;">(</span><span>kernel32_ptr</span><span style="color: #89DDFF;">:</span><span> PVOID</span><span style="color: #89DDFF;">,</span><span> kernelbase_ptr</span><span style="color: #89DDFF;">:</span><span> PVOID</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // kernel32legacy.dll on xbox</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> CreateToolhelp32Snapshot</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_create_tool_help32</span><span style="color: #89DDFF;">(</span><span>kernel32_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Thread32Next</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_thread_32_next</span><span style="color: #89DDFF;">(</span><span>kernel32_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> Thread32First</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_thread_32_first</span><span style="color: #89DDFF;">(</span><span>kernel32_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // kernelbase.dll on xbox</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> GetCurrentThreadId</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_get_current_thread_id</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> GetCurrentProcessId</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_get_current_process_id</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> OpenThread</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_open_thread</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> SuspendThread</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_suspend_thread</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span style="color: #FFCB6B;"> CloseHandle</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> fetch_close_handle</span><span style="color: #89DDFF;">(</span><span>kernelbase_ptr</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> pid</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> GetCurrentProcessId</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Suspend all other threads except this one</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> h</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> CreateToolhelp32Snapshot</span><span style="color: #89DDFF;">(</span><span>TH32CS_SNAPTHREAD</span><span style="color: #89DDFF;">,</span><span> pid</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> current_thread</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> GetCurrentThreadId</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let mut</span><span> te</span><span style="color: #89DDFF;">:</span><span> THREADENTRY32</span><span style="color: #89DDFF;"> =</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">zeroed</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span> te</span><span style="color: #89DDFF;">.</span><span>dwSize </span><span style="color: #89DDFF;">=</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">size_of_val</span><span style="color: #89DDFF;">(&amp;</span><span>te</span><span style="color: #89DDFF;">)</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #82AAFF;"> Thread32First</span><span style="color: #89DDFF;">(</span><span>h</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #C792EA;">mut</span><span> te</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> _</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> loop</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> te</span><span style="color: #89DDFF;">.</span><span>dwSize </span><span style="color: #F78C6C;">as</span><span style="color: #FFCB6B;"> usize</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &gt;=</span><span style="color: #82AAFF;"> offset_of!</span><span style="color: #89DDFF;">(</span><span>THREADENTRY32</span><span style="color: #89DDFF;">,</span><span> th32OwnerProcessID</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">size_of_val</span><span style="color: #89DDFF;">(&amp;</span><span>te</span><span style="color: #89DDFF;">.</span><span>th32OwnerProcessID</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &amp;&amp;</span><span> te</span><span style="color: #89DDFF;">.</span><span>th32OwnerProcessID </span><span style="color: #89DDFF;">==</span><span> pid</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &amp;&amp;</span><span> current_thread</span><span style="color: #89DDFF;"> !=</span><span> te</span><span style="color: #89DDFF;">.</span><span>th32ThreadID</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> thread_handle</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> OpenThread</span><span style="color: #89DDFF;">(</span><span>THREAD_SUSPEND_RESUME</span><span style="color: #89DDFF;">, false,</span><span> te</span><span style="color: #89DDFF;">.</span><span>th32ThreadID</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> SuspendThread</span><span style="color: #89DDFF;">(</span><span>thread_handle</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #82AAFF;"> Thread32Next</span><span style="color: #89DDFF;">(</span><span>h</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #C792EA;">mut</span><span> te</span><span style="color: #F78C6C;"> as</span><span style="color: #89DDFF;"> *</span><span style="color: #C792EA;">mut</span><span> _</span><span style="color: #89DDFF;">) ==</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span> te</span><span style="color: #89DDFF;">.</span><span>dwSize </span><span style="color: #89DDFF;">=</span><span style="color: #FFCB6B;"> core</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">mem</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">size_of_val</span><span style="color: #89DDFF;">(&amp;</span><span>te</span><span style="color: #89DDFF;">)</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> u32</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> CloseHandle</span><span style="color: #89DDFF;">(</span><span>h</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h2 id="todo"><a class="zola-anchor" href="#todo" aria-label="Anchor link for: todo" >#</a > TODO</h2> <p>There are still some remaining items for the loader:</p> <ul> <li>Ensure that <code>GetModuleHandle(NULL)</code> (handle to self) works correctly.</li> <li>Maybe load .NET binaries? We already have a technique for launching .NET code, but having an all-in-one solution might be nice.</li> <li>Maybe make this a generic crate?</li> </ul> <h2 id="fin"><a class="zola-anchor" href="#fin" aria-label="Anchor link for: fin" >#</a > fin</h2> <p>This was a fun exercise that taught me a lot about how Windows binaries are loaded. I'd like to thank carrot_c4k3, tuxuser, and 0e9ca321209eca529d6988c276e4e4ed for their help/support.</p> <p>With this work, we're now able to do cool things on Xbox!</p> <p>For example, using the PE loader we can launch the main GameScript exploit, launch Emma's Windows exploit binary to elevate privileges, spawn a new process as suspended, inject our shellcode/PE loader, and execute a custom SSH/SFTP daemon which uses tokio for async. I think I accomplished my goal of loading complex applications :)</p> <div class="video-container"> <video controls> <source src="&#x2F;img&#x2F;pe-loader&#x2F;xbox_hacks.mp4" type="video/mp4" /> </video> </div> <p><em>The top terminal session is the payload server running on my PC, while the bottom netcat session is the output from the exploit and SSH daemon running on my Xbox.</em></p> <p>tuxuser even managed to get toasts working!</p> <p><a href="/img/pe-loader/collat_achievement.webp"><img src="/img/pe-loader/collat_achievement.webp" alt="Collateral Damage Executed Achievement" /></a></p> 2024-07-30T00:00:00+00:00 2024-07-30T00:00:00+00:00 Unknown https://landaire.net/mitming-the-xbox-360-dashboard-for-rce-and-fun/ <p>In the late 2000s and early 2010s my friends and I were living and breathing Xbox hacking. We were heavily interested in game betas, internal tools, and in general exploring everything the console had to offer.</p> <p>In 2010 -- or maybe 2011? the dates are getting blurry to me -- my friend Emma (<a rel="external" href="https://twitter.com/carrot_c4k3">@carrot_c4k3</a>) was reverse engineering how the Xbox 360 dashboard worked in order to get Hulu Plus on her retail console (there are a lot more details here missing, but that's the <em>why</em>).</p> <p>Somewhere along the way she discovered that there were different URLs and paths which served different "dashboard channels". A normal console would load the following endpoint as the root manifest for content:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>http://epix.xbox.com/epix/en-US/homepage.xml</span></span></code></pre> <p>And alternate channels for beta audiences existed at URLs like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>http://epix.xbox.com/beta/preview_green/epix/en-US/homepage.xml</span></span> <span class="giallo-l"><span>http://epix.xbox.com/beta/takehome_green/epix/en-US/homepage.xml</span></span></code></pre> <p>These manifest files contain the metadata for dynamic marketplace slots and channels that were used to serve ads:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="xml"><span class="giallo-l"><span style="color: #89DDFF;">&lt;</span><span style="color: #F07178;">channel</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">id</span><span style="color: #89DDFF;">&gt;</span><span>XBOX360</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">id</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">definitionpath</span><span style="color: #89DDFF;">&gt;</span><span>epix://xbox360channel.xml</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">definitionpath</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;/</span><span style="color: #F07178;">channel</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">channel</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">id</span><span style="color: #89DDFF;">&gt;</span><span>XBOX_PRE_RELEASE</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">id</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">channeldef</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">description</span><span style="color: #89DDFF;">&gt;</span><span>Xbox Pre-Release</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">description</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">type</span><span style="color: #89DDFF;">&gt;</span><span>online</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">type</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">slot</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">name</span><span style="color: #89DDFF;">&gt;</span><span>Marker Scene</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">name</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">description</span><span style="color: #89DDFF;">&gt;</span><span>Xbox Beta Program</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">description</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">description2</span><span style="color: #89DDFF;">&gt;</span><span>Preview LIVE update</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">description2</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">rating</span><span style="color: #89DDFF;">&gt;</span><span>267242991</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">rating</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">shallowimg</span><span style="color: #89DDFF;">&gt;</span><span>http://epix.xbox.com/shaXam/0201/df/e8/dfe8c92a-84b2-4fbc-8ee3-7af37dee567d.JPG?v=1#Beta_Audiences.JPG</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">shallowimg</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;/</span><span style="color: #F07178;">slot</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">slot</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">name</span><span style="color: #89DDFF;">&gt;</span><span>Beta Announcements</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">name</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">description</span><span style="color: #89DDFF;">&gt;</span><span>Announcements</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">description</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">description2</span><span style="color: #89DDFF;">&gt;</span><span>Read the latest information</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">description2</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">rating</span><span style="color: #89DDFF;">&gt;</span><span>267242991</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">rating</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">shallowimg</span><span style="color: #89DDFF;">&gt;</span><span>http://epix.xbox.com/shaXam/0201/37/6b/376b27a2-635b-4284-8fb4-713be4c98f60.JPG?v=1#Beta_Announcments.JPG</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">shallowimg</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">epixid</span><span style="color: #89DDFF;">&gt;</span><span>46f2016d-0bd6-4d0b-8cb1-f2a81356b246</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">epixid</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">onclick</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">button</span><span style="color: #89DDFF;">&gt;</span><span>A</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">button</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">helptext</span><span style="color: #89DDFF;">&gt;</span><span>Select</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">helptext</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">action</span><span style="color: #89DDFF;">&gt;</span><span>KeyDown</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">action</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;/</span><span style="color: #F07178;">onclick</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;/</span><span style="color: #F07178;">slot</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">epix</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">id</span><span style="color: #89DDFF;">&gt;</span><span>46f2016d-0bd6-4d0b-8cb1-f2a81356b246</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">id</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">format</span><span style="color: #89DDFF;">&gt;</span><span>LUAXZP</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">format</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">path</span><span style="color: #89DDFF;">&gt;</span><span>http://epix.xbox.com/shaXam/0204/79/35/7935844a-91a8-45fe-a9c0-94dfa4d6c053.lzp?v=11#Beta_Announcements.lzp</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">path</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F07178;">param</span><span style="color: #89DDFF;">&gt;</span><span>url=http://live:11/xedl/BetaChannelXml/external/announcements.xml</span><span style="color: #89DDFF;">&lt;/</span><span style="color: #F07178;">param</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;/</span><span style="color: #F07178;">epix</span><span style="color: #89DDFF;">&gt;</span></span></code></pre> <p>The <code>preview_green</code> URL was for users in the public Xbox LIVE preview, which Emma was a part of and therefore stood out. Through examining the Lua scripts and other manifest files she discovered a reference to <code>epix-preview.xbox.com</code> and tried loading the <code>preview_green</code> path from that domain instead.</p> <p>She discovered that the manifest from this domain contained <em>all</em> of the possible dashboard channels that were being tested for the various audiences.</p> <p>Emma had just discovered some critical info that <strong>there were other beta dashboard channels</strong>, the content of the channels reflected things that employees would typically only see, and there were multiple variations of beta channels.</p> <h2 id="inventing-man-in-the-middle-attacks"><a class="zola-anchor" href="#inventing-man-in-the-middle-attacks" aria-label="Anchor link for: inventing-man-in-the-middle-attacks" >#</a > Inventing Man-in-the-Middle Attacks</h2> <p>A year or two before all of this, Emma and I self-discovered what a <a rel="external" href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle</a> (MITM) attack was in the most janky way possible. I had learned that you could share your ethernet adapter on your PC with your Xbox to tunnel your Xbox's traffic through the PC and frequently used this technique to analyze the plaintext HTTP API calls the Xbox made to the marketplace services.</p> <p>I had also learned about what a <a rel="external" href="https://en.wikipedia.org/wiki/Hosts_(file)"><code>hosts</code> file</a> was, and one day decided to try something wild:</p> <p>Redirect the ProdNet (retail) Xbox LIVE marketplace to the PartnerNet (developer) Xbox LIVE marketplace by adding an entry for marketplace.xboxlive.com in my hosts file, pointing at the PartnerNet IP address.</p> <p>It didn't work for me for some reason. But Emma tried it and it worked! She was seeing content from the developer network on her retail console.</p> <p>We knew how to reverse engineer PowerPC but knew absolutely nothing about networking. At this time we were loosely familiar with the idea of a MITM attack but had no idea how to actually perform one if you control the network. We walked away feeling as if we'd just discovered electricity.</p> <h2 id="practical-mitm-attacks"><a class="zola-anchor" href="#practical-mitm-attacks" aria-label="Anchor link for: practical-mitm-attacks" >#</a > Practical MITM Attacks</h2> <p>Being the smart but dumb hackers we were, we decided to try using our hosts file/networking sharing trick on something even <em>crazier</em>:</p> <p>We were going to mirror the <code>http://epix-preview.xbox.com/epix/en-US/homepage.xml</code> manifest and all of its dependencies on our local machine, then set up a web server that served the content.</p> <p>Ditto with <code>http://epix.xbox.com/beta/preview_green/epix/en-US/homepage.xml</code> URLs -- we would essentially rewrite the the manifest URL <em>we wanted</em> to be located on disk where the console <em>actually</em> loaded from. e.g. the <code>/beta/preview_green/</code> part of the path was removed and would be located at <code>http://epix.xbox.com/epix/en-US/homepage.xml</code> instead and <code>epix.xbox.com</code> would resolve to <code>127.0.0.1</code>.</p> <p>It's worth noting that these files were RSA signed and couldn't be tampered with:</p> <p><a href="/img/xbox-dashboard/epix-preview-signature.png"><img src="/img/xbox-dashboard/epix-preview-signature.png" alt="Dashboard manifest header" /></a></p> <p>Ditto with the XUI Lua scripts referenced by them (e.g. <code>http://epix.xbox.com/shaXam/0204/79/35/7935844a-91a8-45fe-a9c0-94dfa4d6c053.lzp?v=11#Beta_Announcements.lzp</code>)</p> <p>This worked surprisingly well and for a long time we were happily accessing internal Xbox employee dashboards. With a C# utility to automate the work we were mirroring the manifest files every week or so and seeing what was new:</p> <p><a href="/img/xbox-dashboard/epix-mirrored.jpg"><img src="/img/xbox-dashboard/epix-mirrored.jpg" alt="Screenshot of the mirrored dashboard channels" /></a></p> <p><em>Please ignore Ron Jeremy. I had no idea who he was at the time and had searched for "fat greasy man" with the intention of replacing all images in for the Canadian region (<code>en-CA</code>) with that photo to prank one of our friends in Canada who was using our server. It's unfortunate that this is one of the only clear screenshots of our MITM tricks that survived time.</em></p> <h3 id="manifests-from-other-live-environments"><a class="zola-anchor" href="#manifests-from-other-live-environments" aria-label="Anchor link for: manifests-from-other-live-environments" >#</a > Manifests from Other Live Environments</h3> <p>A quick note about the dashboard manifest files: although the Xbox 360 had different signing keys for dev vs retail <em>executables and game content</em>, the dashboard files were signed with a shared key.</p> <p>Through leaked internal Xbox 360 dev kit recoveries we were able to access alternate Xbox LIVE environments such as "int2", "vint", and a few others:</p> <p><a href="/img/xbox-dashboard/xbox-live-environments.jpg"><img src="/img/xbox-dashboard/xbox-live-environments.jpg" alt="Xbox LIVE environments as seen on the Xbox 360 dev launcher" /></a></p> <p><a href="/img/xbox-dashboard/live-environments-folder.png"><img src="/img/xbox-dashboard/live-environments-folder.png" alt="A folder of different Xbox LIVE environment files" /></a></p> <p>Emma connected to int2 one day and discovered that the manifest files were set up for testing all of the available Xbox LIVE Gold offers... including Xbox LIVE for $1.</p> <p>Since we could use these files on our retail Xboxes, we were able to continuously alternate between the Xbox LIVE Gold for free and Xbox Live Gold for $1 offers to get 1 year of Gold for $6/year.</p> <h3 id="what-s-a-preview-tool"><a class="zola-anchor" href="#what-s-a-preview-tool" aria-label="Anchor link for: what-s-a-preview-tool" >#</a > What's a "Preview Tool"?</h3> <p>Eventually on one of the dashboard channels I saw something weird that caught my eye:</p> <p><a href="/img/xbox-dashboard/preview-tool-listing.jpg"><img src="/img/xbox-dashboard/preview-tool-listing.jpg" alt="A dashboard channel showing a Native American on a dashboard tile with the text &quot;Xbox LIVE Marketplace Tools&quot;" /></a></p> <p>It's really hard to see on this terrible camera phone/CRT photo but the tile says "Xbox LIVE Programming Tools" at the very top. Upon navigating to the card there was an option to download something called "Preview Tool".</p> <p>This is a little more clear to see on the app's boxart:</p> <p><a href="/img/xbox-dashboard/preview-tool-modern-card.png"><img src="/img/xbox-dashboard/preview-tool-modern-card.png" alt="A dashboard channel showing a Native American on a dashboard tile with the text &quot;Xbox LIVE Marketplace Tools&quot;" /></a></p> <p>The file was <em>very</em> small and only displayed a message box asking if you'd like to enable "preview mode":</p> <p><a href="/img/xbox-dashboard/preview-tool-message-box.png"><img src="/img/xbox-dashboard/preview-tool-message-box.png" alt="An Xbox message box with options to enable/disable preview mode" /></a></p> <p>Upon enabling preview mode we suddenly saw debug information on the dashboard:</p> <p><a href="/img/xbox-dashboard/preview-tool-debug.png"><img src="/img/xbox-dashboard/preview-tool-debug.png" alt="The Xbox dashboard with debug text printed out in the corner" /></a></p> <p>Again, the text is <em>very</em> hard to see but there is now red text in the top-right corner of the dashboard showing debug output including the frames per second the dashboard is rendering at. We also noticed that Preview Tool <em>on its own</em> could force our console to use the internal dashboard files without having to do the MITM which made life much easier for us.</p> <h2 id="arbitrary-code-execution"><a class="zola-anchor" href="#arbitrary-code-execution" aria-label="Anchor link for: arbitrary-code-execution" >#</a > Arbitrary Code Execution</h2> <p>Preview Tool was a unique type of application in that it actually had an expiration date associated with it. You were required to be on Xbox LIVE to launch the app and its revocation/expiration status would be checked by the system.</p> <p>Sooner or later our copies of Preview Tool expired. Although we had the means of downloading anything we wanted from the Xbox LIVE marketplace we were too lazy to brute-force the randomized 32-bit ID required to download the newer packages that expired in the future. We had done this for other titles in the past but it was a process that took a couple days when distributed across multiple parties.</p> <p><a href="/img/xbox-dashboard/halo4-offer-brute-force.jpg"><img src="/img/xbox-dashboard/halo4-offer-brute-force.jpg" alt="Brute forcing the Halo 4 beta offer ID with Archangel" /></a></p> <p><em>Archangel was a utility developed by <a rel="external" href="https://twitter.com/xenomega9">@xenomga9</a> for brute forcing the Halo 4 beta's offer ID. If you were ever wondering how the "<a rel="external" href="https://www.youtube.com/watch?v=POconAHU3aE">Halo 4 barn video</a>" came to be, this was it.</em></p> <p>Brute forcing just wasn't worth the time and effort though when we were still doing CDN cloning for our friends without Preview Tool. So we just stopped getting Preview Tool and started doing MITM again.</p> <p>We didn't realize how powerful Preview Tool was until our copies had expired. At some point I wanted to know how Preview Tool had been forcing the console to use internal dashboard channels, so I opened it up in IDA and noticed a call to an API I'd never seen before named <code>XamSetStagingMode</code>.</p> <p><a href="/img/xbox-dashboard/xam-set-staging-mode-call.png"><img src="/img/xbox-dashboard/xam-set-staging-mode-call.png" alt="XamSetStagingMode function call" /></a></p> <p>And the <code>XamSetStagingMode</code> API just sets some global:</p> <p><a href="/img/xbox-dashboard/xam-set-staging-mode.png"><img src="/img/xbox-dashboard/xam-set-staging-mode.png" alt="XamSetStagingMode function disassembly" /></a></p> <p>Ok... so who uses this global?</p> <p><a href="/img/xbox-dashboard/staging-mode-references.png"><img src="/img/xbox-dashboard/staging-mode-references.png" alt="System staging mode global references" /></a></p> <p>Interesting! <code>XamVerifyXSignerSignature</code> is used for verifying certain things which aren't checked by the hypervisor, like the dashboard manifest files and their Lua scripts. Checking how this is used:</p> <p><a href="/img/xbox-dashboard/staging-mode-check.png"><img src="/img/xbox-dashboard/staging-mode-check.png" alt="XamVerifyXSignerSignature diassembly" /></a></p> <p>Not shown in the above screenshot, but if staging mode is enabled and the file signature isn't valid the console will debug print the following string:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>XamVerifyXSignerSignature: Signature not trusted, but ok since we&#39;re in staging mode or on a devkit</span></span></code></pre> <p>i.e. <code>XamSetStagingMode()</code>, and therefore Preview Tool, disables all signature checks of dashboard contents. <em>Correction: <code>XamVerifyXSignerSignature</code> will allow unsigned content if the caller provides a certain flag indicating they want to allow untrusted signatures in devkit/staging mode. Back when we originally discovered Preview Tool, the dashboard provided this flag but does not appear to anymore.</em></p> <p>This doesn't actually answer the question though of how the alternate dashboard channels were being used.</p> <p>Although I never looked into it fully, I believe the dashboard or another component called <code>XamGetStagingMode()</code> and used a different value for the epix CDN/path. There also exists a "Live Hive" which is a key-value store used for dynamically configuring Xbox LIVE settings:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>CatalogCDNUriPort=80</span></span> <span class="giallo-l"><span>CatalogCDNUriRoot=http://catalog.vint.xboxlive.com</span></span> <span class="giallo-l"><span>CatalogUriPort=80</span></span> <span class="giallo-l"><span>CatalogUriRoot=http://catalog.vint.xboxlive.com</span></span> <span class="giallo-l"><span>CloudStorageStatus=1</span></span> <span class="giallo-l"><span>CommunityGamesTrialExpirationInSeconds=480</span></span> <span class="giallo-l"><span>ContractManagerUriRoot=http://contractfd.test.xboxlive.com/v2</span></span></code></pre> <p>I'm almost positive one of these settings was overwritten by Preview Tool (or something else) to point at a different base URL for epix.</p> <p>Although this is a bit anticlimactic, we barely even bothered to use this newfound knowledge of disabling signature checks since we had dev kits and could run our own <em>native</em> code anyways. This only gave us arbitrary Lua scripting capabilities.</p> <p>It also meant we'd have to grab Preview Tool versions that weren't expired every now and then, which we were too lazy to do. But it was nice to know that if we wanted to, we now knew how to control scripts on the dashboard.</p> <p>In the end what we got from this entire effort was access to Xbox employee-only game betas, tools, and interesting insight into how the dashboard worked.</p> <p>You can download some of the interesting manifest files I had saved on an old HDD <a rel="external" href="https://archive.org/details/epix-playground-manifests">on Archive.org</a>. Unfortunately I did not mirror the Lua scripts and <code>epix-preview.xbox.com</code> has since been killed off by Microsoft -- but that's a story for another day :)</p> 2024-06-03T00:00:00+00:00 2024-06-03T00:00:00+00:00 Unknown https://landaire.net/on-dependency-usage-in-rust/ <h2 id="context"><a class="zola-anchor" href="#context" aria-label="Anchor link for: context" >#</a > Context</h2> <p>A couple months back I read <a rel="external" href="https://scribe.rip/@john_25313/c-isnt-a-hangover-rust-isn-t-a-hangover-cure-580c9b35b5ce">"C isn't a Hangover; Rust isn't a Hangover Cure"</a> (<a rel="external" href="https://medium.com/@john_25313/c-isnt-a-hangover-rust-isn-t-a-hangover-cure-580c9b35b5ce">original Medium link</a>) by John Viega. I <a rel="external" href="https://x.com/landaire/status/1782890213146083625">responded to the post</a> already on Twitter (sometimes known as X) and in hindsight should have just written a blog post to begin with since the platform is so terrible for longform comment.</p> <p>What follows is hopefully a more organized, digestable, and better response to John's post than what I wrote on Twitter. If you haven't read his post, I recommend giving it a read for full context instead of reading just what I've decided to directly respond to.</p> <p>John's post goes into some concerns about using Rust and if Rust is really the right choice over something GC'd, and covers a few angles including whether memory safety really matters for you, what language best fits your <em>team</em>, and something that came up multiple times is dependency usage.</p> <p>I disagree with some of the arguments John made surrounding dependencies and I frequently hear similar sentiments said by crowds who are anti-Rust. The idea that a program is less desirable or less secure because it has more dependencies. I find these arguments to be an easy jab lacking substance, and wanted to take an opportunity to challenge them.</p> <p>My big complaint with John's points is that he spells out negatives but ignores most positives, instead telling the reader to figure those out for themselves.</p> <p>It's important to understand who I am for a frame of reference: my background is in security and I first learned to program in C# making tools for Xbox 360 modding. That involved some reverse engineering and learning C++ for writing trainers/tools/cheats or whatever stuff would have to run on the console. Following my Xbox hacking in my teens, I professionally did web dev for some years (PHP), then web security, then hypervisor security at Microsoft, and now native code security focused on mobile applications. With the exception of my ~3 years in professional web dev, my title has always had "Security Engineer" in it -- not "Software Engineer". I sure as shit write a lot of code though.</p> <p>I was entirely self-taught in programming at age 13 mostly through following online tutorials, and got a bachelor's degree in computer science.</p> <p>My language of choice for about 8 years now has been Rust. This was settled upon after trying Go, D, Python, and some other languages inbetween. I am nobody in C/C++ circles and I'm a nobody in Rust circles, but I do pay close attention to the Rust community because I love the language.</p> <h2 id="why-are-dependencies-seen-as-insecure"><a class="zola-anchor" href="#why-are-dependencies-seen-as-insecure" aria-label="Anchor link for: why-are-dependencies-seen-as-insecure" >#</a > Why are dependencies seen as insecure?</h2> <p>John talks about this at good length and it's worth reading his thoughts. If you're too lazy to do so, I think it can be sufficiently summarized as:</p> <ol> <li>"Code review is a lot harder to do well than writing code"</li> <li>Dependencies can come from anyone and can generally be contributed to by anyone. Therefore the more dependencies you have, the larger your implicit circle of trust, and any break in that circle breaks your security. They become a single point of failure.</li> <li>You trust the code you write, and you know the code you write.</li> </ol> <p>On #1, I don't agree -- at least not broadly. It's probably true for small bits of code that you have the technical know-how to write yourself, but in memory-safe langauges what's the worst thing you can miss in a code review of something that's not technically complicated? Probably minor bugs that would cause a DoS. So you bring in a dependency that you didn't audit super closely and now you have a DoS in your application. Depends on your threat model how important this is to you, and whether that impacts your mental quality rating of the dependency.</p> <p>On #2 I mostly agree. You are opening up your circle of trust, but done right you can protect yourself. The <a rel="external" href="https://en.wikipedia.org/wiki/Npm_left-pad_incident">npm left-pad incident</a> is a prime example of what can go wrong from even a non-malicious dependency failure.</p> <p>In the left-pad incident a package named "left-pad" was removed from the npm registry causing widespread build failures for almost every node.js application. The broad usage of this dependency shocked people since it was less than 50 lines of code and could be written by anyone.</p> <p>If you're pulling in a dependency that's <em>already</em> compromised then you're a bit late, but for avoiding <em>future</em> compromise you can:</p> <ul> <li>Use a package service that does not delete yanked dependencies. This should only be possible in extremely rare scenarios where e.g. someone's private information was exposed. crates.io, Rust's default package source, <a rel="external" href="https://crates.io/policies">does not permit deletion</a>.</li> <li>Commit lockfiles to ensure that builds are reproducible, the same dependencies are pulled every time, and a future compromise of a dependency doesn't impact you unless you explicitly update. This is the default behavior for Cargo and npm. The lockfile will also ensure that the dependency's location is preserved, preventing dependency substitution attacks and should ensure that with the first point above that even a yanked dependency can still be resolved.</li> <li>Vendor dependencies so that you have a true complete snapshot of things without relying on 3rd parties. This weighs a lot more and is harder to manage over time but is an immediate solution to both of the above points.</li> </ul> <p>On #3, sure. This is reasonable, but there are costs to writing that code that I'll cover later on.</p> <h2 id="just-because-c-c-users-suffer-doesn-t-mean-everyone-else-has-to"><a class="zola-anchor" href="#just-because-c-c-users-suffer-doesn-t-mean-everyone-else-has-to" aria-label="Anchor link for: just-because-c-c-users-suffer-doesn-t-mean-everyone-else-has-to" >#</a > Just because C/C++ users suffer doesn't mean everyone else has to</h2> <p>I'm going to quote a few of John's paragraphs for full context and then dissect some of them one-by-one:</p> <blockquote> <p>Rust makes it easy to pull in outside dependencies, and much like in the JavaScript ecosystem, it seems to have encouraged lots of tiny dependencies. That makes it a lot harder to monitor and manage the problem.</p> <p>But Rust’s situation is even worse than in most languages, in that core Rust libraries (major libraries officially maintained by the Rust project) make heavy use of third party dependencies. The project needs to take ownership and provide oversight for their libraries.</p> <p>To me, this has long been one of the biggest risks in software. I can write C code that is reasonably defensive, but I have a hard time trusting any single dependency I use, never mind scaling that out.</p> <p>Properly securing your dependency supply chain is a much harder problem than writing safe C code. Personally, I only pull in dependencies beyond standard libraries if the work I’d have to do in order to credibly replace the functionality is so great that, if I didn’t bring in a dependency, I would choose not to do the work.</p> <p>C is a lot better than Rust in this regard, but it’s not particularly great. Partially, that’s because the C standard libraries (which I am always willing to use; the core language implementation and runtime is a given) are not at all extensive. People who write a lot of C end up building things themselves once and keeping them around and adapting them for decades, including basic data structures like hash tables.</p> </blockquote> <p>First of all, I strongly disagree with the sentiment that securing your dependency supply chain is harder than writing safe C/C++ code.</p> <p>You have to be at least a moderately advanced user in C++/core memory safety ideas to come to the realization that modifying a container while iterating it with iterators is a bad idea, or that there are subtly different ways to zero-initialize a structure that result in subtly different ways of it being zero-initialized (which may or may not include its padding), or that <a rel="external" href="https://stackoverflow.com/a/31774802/455678">some types of pointer arithmetic/comparisons are undefined behavior</a>.</p> <p>You don't need to be an advanced programmer to do a short sniff test to see if a dependency you're bringing in to your application looks fairly widely used and trusted by a community. Sure, the XZ backdoor is an extreme example of even experts who were <em>members of the project</em> missed something snuck in over time, but this is not what we're talking about here.</p> <blockquote> <p>Rust makes it easy to pull in outside dependencies</p> </blockquote> <p>Honestly? <em>Thank god</em>.</p> <p>While C/C++ applications generally require fewer dependencies, most of the time you're relying on the project maintainer to provide you with a list of those dependencies and how to install them with your platform's preferred package manager.</p> <p>Something that I always find myself saying when try to build a C/C++ application from source is "shit I'm missing a header" and general complaints about the build tools themselves. And of course the build/configuration tool tells you what you lack but doesn't tell you what you need to install because that's not its responsibility. The build tool may support building on your favorite OS, but it doesn't know how to install packages on that OS or even <em>what</em> the package is.</p> <p>So you're left with a terrible error message that can leave you wondering "Do I need to install lib-dev-whatever2 or just lib-whatever2? Is this even available via my OS's package manager?"</p> <p>Don't forget all of the dependencies you need to install just to install the dependency too: pkgconf, autoconf, autotools, ninja, cmake, whatever, and any other libraries this single dependency may rely on. Kicking the problem into a Dockerfile is also not a good substitution for a quality build tool.</p> <p>The developer experience surrounding dependencies in C/C++ is so awful that you just default to not using any at all. Or you bring in a "header-only library" that makes integration easy because bringing in multiple external source/header files makes people want to turn off their computer and consider another career.</p> <blockquote> <p>[Easy dependency usage] seems to have encouraged lots of tiny dependencies. That makes it a lot harder to monitor and manage the problem.</p> </blockquote> <p>I disagree that the dependency story becomes harder to manage. There are multiple tools to monitor and manage your dependency usage in Rust:</p> <ul> <li><a rel="external" href="https://doc.rust-lang.org/cargo/commands/cargo-tree.html">cargo-tree</a> can tell you your dependency tree</li> <li><a rel="external" href="https://github.com/geiger-rs/cargo-geiger">cargo-geiger</a> can tell you if any of your dependencies in the graph use <code>unsafe{}</code></li> <li><a rel="external" href="https://github.com/cackle-rs/cackle">cargo-acl</a> can tell you which crates use <code>unsafe{}</code>, run build scripts to see if any use network/filesystem, and provides you with API usage information to see if a crate is doing things unexpected. It can even sandbox the build tools.</li> <li><a rel="external" href="https://blog.rust-lang.org/inside-rust/2020/01/23/Introducing-cargo-audit-fix-and-more.html">cargo-audit</a> can tell you if any of your crates are affected by a known security vulnerability and fix the used package version automatically.</li> </ul> <p>These are all possible because Rust's tooling ecosystem is so good. These are not things that are run by default so the argument is a bit weaker, but the fact that they exist means you have the option of using them if you want to. For example, I've seen many CI pipelines that use <code>cargo-audit</code> to ensure vulnerable crates aren't being used.</p> <blockquote> <p>People who write a lot of C end up building things themselves once and keeping them around and adapting them for decades, including basic data structures like hash tables.</p> </blockquote> <p>I see this as a bad thing. You're probably going to write bugs and it's going to be hard to fix affected applications. No proper version tracking or update mechanism means that depending on how you use and manage this ad-hoc dependency, tracking where it's used and patching affected programs might be difficult.</p> <p>A hash table is also not necessarily a "basic" data structure but I would definitely consider it a <em>common</em> data structure. Common data structures and algorithms can still have bugs, and there are many examples of this (and if it's so common why isn't it in the stdlib?). No intent here to shame these folks, but just some examples: <a rel="external" href="https://rustsec.org/packages/smallvec.html">smallvec</a>, <a rel="external" href="https://blog.isosceles.com/the-webp-0day/">libwebp's Huffman tree decoding</a>, and <a rel="external" href="https://www.openwall.com/lists/oss-security/2024/01/30/7">glibc's <code>qsort()</code></a>. (I'm aware that glibc and libwebp would typically be installed using your distro's package manager but that's besides the point.)</p> <p>So why are we shooting ourselves in the foot by making it difficult to track and manage our dependencies for C/C++, including even our <em>own</em> first-party dependencies?</p> <p><a rel="external" href="https://x.com/Lucretiel/status/1772865033757679892">@Lucretiel summarized this same sentiment fairly well on Twitter</a>:</p> <blockquote> <p>Quick reminder that I C doesn't have a culture of minimal dependencies because of some kind of ingrained strong principles in its community, C has a culture of minimal dependencies because adding a dependency in C is a pain in the fucking ass.</p> <p>Rust and Node.js have smaller projects and deeper dependency trees than C++ or Python for literally no other reason than the fact that the former languages make it very easy to create, publish, distribute, and declare dependencies.</p> <p>This is systemic incentives 101.</p> </blockquote> <h2 id="rust-isn-t-as-batteries-included-as-other-languages"><a class="zola-anchor" href="#rust-isn-t-as-batteries-included-as-other-languages" aria-label="Anchor link for: rust-isn-t-as-batteries-included-as-other-languages" >#</a > Rust isn't as "batteries included" as other languages</h2> <p>One point John makes is:</p> <blockquote> <p>Languages like Go and Python that have extensive standard libraries that the language maintainers take responsibility for are actually the best case scenario in my opinion. Yes, more people touch the code, but the DIY economics are often the wrong choice, and having organizations willing to both be accountable, and provide an environment where people can focus on minimizing dependencies if they feel its important, is a good thing.</p> <p>...</p> <p>Generally, I think Rust (and pretty much any programming language) would be served well to take ownership of their standard libraries. Pull in all the dependencies, and be willing to take ownership.</p> </blockquote> <p>I agree with John that having batteries included simplifies things for both new and established users, but I don't think we should be so quick to add more batteries to the collection without sufficient testing.</p> <p>My understanding is Rust has learned from the mistakes of other languages and explicitly tries not to include things in the standard library that the Rust core team believes don't quite fit, including for reasons of figuring out the API. You simply have more freedom with packages: they're semver-versioned and you can break compat with an appropriate version bump.</p> <p>You don't necessarily know the warts of an API until you start to really use it widely. Take for example the <a rel="external" href="https://crates.io/crates/rand"><code>rand</code> crate</a>. There is no random number generator in the Rust standard library, and <code>rand</code> is the de facto standard crate for this task.</p> <p>That's a bit odd, no? Random number generation is fairly common and one would think it's in the standard library. There's even a tracking issue for adding one: <a rel="external" href="https://github.com/rust-lang/rust/issues/27703">#27703</a> (and <a rel="external" href="https://github.com/rust-lang/rust/issues/36999">#36999</a>).</p> <p>While I agree in principle, putting something into the standard library mostly means that the APIs for it are immutable. You know what's changed in fairly minor but meaningful ways since those issues were closed? The <code>rand</code> crate's APIs. If these had been brought into the standard library as-is we'd be mostly forever stuck with certain warts like <a rel="external" href="https://docs.rs/rand/0.6.5/rand/trait.Rng.html#method.gen_range"><code>Rng::gen_range()</code></a> accepting 2 args (low, high) instead of the more-natural <code>Range</code> (using <code>low..=high</code> syntax).</p> <p>Rust itself is still a growing and changing language as well, and it may not make sense to land on an API that would be better once language improvements land. Good luck changing a stabilized API without breaking compat.</p> <h2 id="package-management-in-other-languages-also-suck"><a class="zola-anchor" href="#package-management-in-other-languages-also-suck" aria-label="Anchor link for: package-management-in-other-languages-also-suck" >#</a > Package management in other languages also suck</h2> <blockquote> <p>Yes, Python has become so popular, that plenty of people use outside dependencies, and there are several popular package managers. However, it’s still in a vastly better place from a supply chain perspective than JavaScript, which has become famous among developers for hidden dependencies on trivially small packages.</p> </blockquote> <p>There's no way to really sugarcoat this, but Python and Go package management really fucking sucked (Python still sucks, but some semi-recent tools are making it suck less).</p> <p>So Python has monolithic dependencies... but why? Because the tooling and <a rel="external" href="https://packaging.python.org/en/latest/tutorials/packaging-projects/">uploading dependencies</a> is high-friction^{^{(I've never uploaded -- maybe it's easier than I think)}}. And we're supposed to praise this? In what world is Python + pip "in a vastly better place from a supply chain perspective than JavaScript" because of this fact either?</p> <ul> <li>pip dependencies are by default global which causes conflicts with other Python applications, forcing you to use virtual environments. <em>Note: <a rel="external" href="https://www.reddit.com/r/rust/comments/1d86c62/on_dependency_usage_in_rust/l76qj85/">/u/encyclopedist on Reddit</a> pointed out that this has recently changed with <a rel="external" href="https://peps.python.org/pep-0668/">PEP 668</a>.</em></li> <li>If pip hits a version conflict within your own project's package graph you're in for a headache</li> <li>Packages with native dependencies are a mystery to basically everyone except the package author. Or is this just me?</li> <li>There's no strong lockfile containing metadata sufficient for guaranteeing the bits someone installing a project's dependencies for the first time match the bits when the lockfile was generated (i.e. package hashes).</li> </ul> <p>pip in my experience has been so frustrating to use for dependency management that it inspires me to just simply not use dependencies to begin with. <strong>Yes there are tools that make this easier, but they are not defaults or even agreed upon by the community.</strong></p> <p>And before Go had its <a rel="external" href="https://go.dev/blog/versioning-proposal">package management renaissance</a> does anyone remember what it looked like to use dependencies in Go?</p> <p>You imported a library like this in your code:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="go"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span style="color: #89DDFF;"> (</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &quot;</span><span style="color: #FFCB6B;">github.com/codegangsta/cli</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">)</span></span></code></pre> <p>You use <code>go get</code> to download the dependencies to your local machine, and built the application.</p> <p>There were no lock files, no versions, nothing. The latest version of the source code was grabbed and used until you updated it which may have had breaking changes. The community had to resort to package proxies to version packages. Today it's pretty insane to think about letting a 3rd party man-in-the-middle your packages and deliver it to you with no integrity checks just to work around warts in the tools.</p> <p>And what about other languages like C#? NuGet, .NET's package manager, was also terrible.</p> <p>I don't know how it is today, but around ~2017 while working at Microsoft I discovered that NuGet had a "feature" where the client would reach out to all of your package feeds in parallel to fetch a package and whichever responded first won. I can't find the issue for it on GitHub, but someone had reported this behavior and it was considered "by-design".</p> <p>Even still when I presented the problem to the NuGet team internally, they did not see it as a vulnerability. The obvious problem here was that we were leaking our internal package names to external package feeds and a name collision could result in the wrong package being used (this was before dependency substitution/confusion attacks were widely known).</p> <p>NuGet also had no lock files, no integrity checks, and conveniently provides install/build scripts and usually what you're receiving is prebuilt binaries. Code integrity isn't verified and the only thing that would have prevented you from using a completely different binary was <a rel="external" href="https://learn.microsoft.com/en-us/dotnet/standard/assembly/strong-named">Strong naming</a> which is not a security boundary. In fact, I've seen a lot of projects publish their strong name key.</p> <p>Rust was fortunately blessed from the beginning (<a rel="external" href="https://blog.rust-lang.org/2014/11/20/Cargo.html">pre-1.0, 2014!</a>) with people who knew how to build a package manager. Cargo is not perfect, but it works pretty damn well for the majority of Rust users.</p> <p>It is <em>because</em> the package management story in Rust is so good compared to other languages that the standard library doesn't need to be as feature-complete. Shipping with a fantastic package manager in 1.0 allowed the community package ecosystem to explode without having to pause and shift towards better or different solutions (NuGet's change to <a rel="external" href="https://devblogs.microsoft.com/nuget/enable-repeatable-package-restores-using-a-lock-file/">JSON-based projects</a>, Go's shift away from <code>go get</code> using git-based imports to Go modules, and many different Python package managers like poetry, rye, pipenv).</p> <p>Rust developers are not bleeding from using the tools they depend on and it's absurd to me that this is considered a weakness.</p> <h2 id="what-about-dependency-explosion"><a class="zola-anchor" href="#what-about-dependency-explosion" aria-label="Anchor link for: what-about-dependency-explosion" >#</a > What about dependency explosion?</h2> <p>Here is an example of an application I'm working on that reads files in a custom filesystem specific to the Xbox 360 (known as XContent / STFS). There's crypto involved for signing the header and verifying file data and conceptually this single file contains many others similar to a tarball or zip file.</p> <p>It's a CLI application with the following dependencies in its <code>Cargo.toml</code> file:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="toml"><span class="giallo-l"><span style="color: #89DDFF;">[</span><span style="color: #FFCB6B;">dependencies</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># For mmaping the input file</span></span> <span class="giallo-l"><span>memmap2</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">0.9</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Parsing arguments</span></span> <span class="giallo-l"><span>clap</span><span style="color: #89DDFF;"> = {</span><span> version</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">4.5.4</span><span style="color: #89DDFF;">&quot;,</span><span> features</span><span style="color: #89DDFF;"> = [&quot;</span><span style="color: #C3E88D;">derive</span><span style="color: #89DDFF;">&quot;] }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Easy error handling</span></span> <span class="giallo-l"><span>anyhow</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">1.0</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Data serialization</span></span> <span class="giallo-l"><span>serde</span><span style="color: #89DDFF;"> = {</span><span> version</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">1.0</span><span style="color: #89DDFF;">&quot; }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Reading the input file&#39;s filesystem</span></span> <span class="giallo-l"><span>stfs</span><span style="color: #89DDFF;"> = {</span><span> version</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">0.1</span><span style="color: #89DDFF;">&quot;,</span><span> path</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">../stfs</span><span style="color: #89DDFF;">&quot; }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Also for reading the input file&#39;s filesystem</span></span> <span class="giallo-l"><span>xcontent</span><span style="color: #89DDFF;"> = {</span><span> path</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">../xcontent</span><span style="color: #89DDFF;">&quot; }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Date/time operations</span></span> <span class="giallo-l"><span>chrono</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">0.4.38</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Converting data to/from hexadecimal</span></span> <span class="giallo-l"><span>hex</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">0.4.3</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Converting file sizes to something human-readable</span></span> <span class="giallo-l"><span>humansize</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">2.1.3</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Serializing data to JSON</span></span> <span class="giallo-l"><span>serde_json</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">1.0</span><span style="color: #89DDFF;">&quot;</span></span></code></pre> <p>According to <a rel="external" href="https://lib.rs/crates/cargo-deps-list"><code>cargo deps-list</code></a> this results in 102 dependencies from the 10 direct dependencies I specified. <a rel="external" href="https://github.com/jplatte/cargo-depgraph"><code>cargo depgraph</code></a> produced this graph:</p> <p><a href="/img/dependency-usage-in-rust/acceleration_dependency_graph.svg"><img src="/img/dependency-usage-in-rust/acceleration_dependency_graph.svg" alt="The application&#39;s dependency graph in dotviz format" /></a></p> <p><em>Click for a larger image</em></p> <h3 id="the-sniff-test"><a class="zola-anchor" href="#the-sniff-test" aria-label="Anchor link for: the-sniff-test" >#</a > The sniff test</h3> <p>I've mentioned my "quick checks" or "sniff test" a couple times in this blog post, so it's worth calling out what it is.</p> <p>I 100% did not audit all 102 of these dependencies in the above graph, but for each of the 10 <em>I directly brought in to my application</em> I looked at the author to see if I knew of them, looked at their project setup, and decided their goals align with mine which led me to using the crate. I've passed on crates that to me looked like someone not necessarily intending for others to use their work, or simply did not pass my vibe check.</p> <p>Here is what my personal flow looks like:</p> <ol> <li>Do a search for the topic I'm interested in</li> </ol> <p><a href="/img/dependency-usage-in-rust/convert_to_hex_search.png"><img src="/img/dependency-usage-in-rust/convert_to_hex_search.png" alt="Kagi serach for &quot;convert to hex rust&quot;" /></a></p> <ol start="2"> <li>Check the crates.io page</li> </ol> <p><a href="/img/dependency-usage-in-rust/hex_crates_io.png"><img src="/img/dependency-usage-in-rust/hex_crates_io.png" alt="crates.io page for the &quot;hex&quot; crate" /></a></p> <p>✅ The crate has good examples and information. I don't recognize the author, but that's not terribly uncommon.</p> <ol start="3"> <li>Check the crate's stats to get an idea of how widely used it is</li> </ol> <p><a href="/img/dependency-usage-in-rust/hex_stats.png"><img src="/img/dependency-usage-in-rust/hex_stats.png" alt="&quot;hex&quot; crate usage stats" /></a></p> <p>✅ Tons of usage. These numbers can be gamed, but probably not to this level.</p> <ol start="4"> <li>Check the versions.</li> </ol> <p><a href="/img/dependency-usage-in-rust/hex_versions.png"><img src="/img/dependency-usage-in-rust/hex_versions.png" alt="hex crate versions showing 9 versions, last one was 3 years ago" /></a></p> <p>✅ 9 versions since its original release 8 years ago. The last release was 3 years ago. The author isn't changing stuff all the time which is good as I don't expect a hex crate to have heavy code churn.</p> <ol start="5"> <li>Check who is using this crate to see if I recognize any of them</li> </ol> <p><a href="/img/dependency-usage-in-rust/hex_dependents.png"><img src="/img/dependency-usage-in-rust/hex_dependents.png" alt="dependents for the hex crate" /></a></p> <p>✅ The hex crate has over 4,000 other crates depending on it and I recognize all of the top 5 biggest users.</p> <ol start="6"> <li>Check the repo</li> </ol> <p><a href="/img/dependency-usage-in-rust/hex_repo.png"><img src="/img/dependency-usage-in-rust/hex_repo.png" alt="hex crate repo" /></a></p> <p>✅ This is not a great example but the hex crate has some stars, the active development about matches the crates.io page (keep in mind the repository doesn't have to match what's uploaded to crates.io!), and the project looks decently put together. There's also no build.rs script that I need to check out.</p> <p>The crate passes all of my standard checks! I feel comfortable pulling the crate into my repository</p> <h3 id="economic-factors"><a class="zola-anchor" href="#economic-factors" aria-label="Anchor link for: economic-factors" >#</a > Economic factors</h3> <p>Something John mentions multiple times is weighing "economic factors" when considering what language or dependencies to use.</p> <blockquote> <p>Avoid unnecessary dependencies. I will leave ‘unnecessary’ vaguely defined here; you need to be educated and judge all the economic factors. But note that, there are often other benefits to fewer dependencies, from shorter build times to less surface to test, to less risk from API changes or bugs from downstream dependencies.</p> </blockquote> <p>Are all of these 10 crates I used above strictly necessarily? No. I could get away with writing my own hex converter, human-readable size converter, command-line argument parser, drop mmap support, drop support for chrono date/time, and rewrite to use standard <code>Result&lt;T, E&gt;</code> instead of using <code>anyhow</code>. This is what such a <code>Cargo.toml</code> would look like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="toml"><span class="giallo-l"><span style="color: #89DDFF;">[</span><span style="color: #FFCB6B;">dependencies</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Data serialization</span></span> <span class="giallo-l"><span>serde</span><span style="color: #89DDFF;"> = {</span><span> version</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">1.0</span><span style="color: #89DDFF;">&quot; }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Reading the input file&#39;s filesystem</span></span> <span class="giallo-l"><span>stfs</span><span style="color: #89DDFF;"> = {</span><span> version</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">0.1</span><span style="color: #89DDFF;">&quot;,</span><span> path</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">../stfs</span><span style="color: #89DDFF;">&quot; }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Also for reading the input file&#39;s filesystem</span></span> <span class="giallo-l"><span>xcontent</span><span style="color: #89DDFF;"> = {</span><span> path</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">../xcontent</span><span style="color: #89DDFF;">&quot; }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Serializing data to JSON</span></span> <span class="giallo-l"><span>serde_json</span><span style="color: #89DDFF;"> = &quot;</span><span style="color: #C3E88D;">1.0</span><span style="color: #89DDFF;">&quot;</span></span></code></pre> <p>But you know what I get from splurging on 6 extra deps?</p> <p><strong>I can just write my fucking code</strong>. That's the biggest economic factor I care about.</p> <p>I don't have to worry about making my argument parser print out help and keeping its flags and info up-to-date and manually pretty. I don't have to leave the user with a shitty <code>DateTime</code> field because I can't write a good one for them since my app doesn't revolve around dates. I don't have to write boilerplate for bubbling up errors. <strong>The overall quality of the application and my dev experience is improved.</strong></p> <p><code>hex</code> and <code>humansize</code> are arguably my application's <a rel="external" href="https://en.wikipedia.org/wiki/Npm_left-pad_incident"><code>left-pad</code></a>. Converting to/from hex is not terribly complex and converting a number of bytes to the best unit of KB/MB/GB is extremely easy. In fact, I'm pretty sure I originally wrote it for this project and then removed it. These dependencies do one task that's simple enough for me to write but I didn't.</p> <p>Why? Because each handles some edge cases that may matter for me, and I'm not wanting to spend 30m of my time writing something that's not core to my application when someone already wrote the code and did it better than I would in those 30m. Instead I took 3 minutes to search around to find the crate, ensure it fit my needs and to sanity check it looked kinda legit, and then used it in my application.</p> <p>I got. Shit. Done.</p> <p>I will say that there have been times where I've compiled something and thought, "Holy shit 500+ dependencies?" But to me this isn't a signal of it's security but rather <em>bloat</em> and <em>complexity</em>. I have to think about everything the application does, its complexity, and consider if it's just bloated for no reason or if there is good reason for having so many dependencies. This can impact my judgement on the application's <em>quality</em> and how likely I am to use really use the tool.</p> <p><a rel="external" href="https://x.com/Lucretiel/status/1791916569951375591">@Lucretiel said something else recently on Twitter</a> said something that loosely fits into this topic:</p> <blockquote> <p>It’s a good thing we’re keeping our dependency count low, I think to myself, as I read about how my UI framework also provides threads, networking utilities, data structures, floating point math, D-Bus, cryptographic utilities, geographic utilities, and a Bluetooth implementation</p> </blockquote> <p>Bloat is everywhere. You just need to know how to look for it.</p> <h3 id="circle-of-trust"><a class="zola-anchor" href="#circle-of-trust" aria-label="Anchor link for: circle-of-trust" >#</a > Circle of trust</h3> <blockquote> <p>Anyway, the more dependencies you have, the larger your circle of implicit trust is, the larger your attack surface is, and the more supply chain risk you’re taking.</p> </blockquote> <p>I'd rather assume an author of a crate that looks like it provides what I need has non-malicious intent than the other way around. Maybe that perspective will change if I ever get burned and my laptop gets ransomwared because I missed a <code>build.rs</code> file or a proc macro that does sketchy things.</p> <p>But consider for a second: do you consider your OS as part of your circle of trust? It's unlikely you'll ever get backdoored by your OS, but bugs are certainly present and depending on your threat model a vulnerable OS means a problem for you.</p> <p>Do you know how much attack surface there is with say image parsing on iOS/macOS?</p> <p>You can choose to not bring in libjpeg/libpng/libwebp and just use ImageIO (which is used by UIKit/CoreGraphics). Easy! Except you now have at least 30 different image formats on your attack surface that you didn't know about. And there's no way to turn them off. And now you're stuck ensuring that the image you're parsing is a trusted image format.</p> <p>You might be screaming, "But Apple is trusted! And Apple publishes updates!"</p> <p>Ok? Did you validate how many of those updates are backported to major iOS versions used by your users? Did you audit Apple's closed-source lib and discover this attack surface and then weigh the economic costs of not using it? I mean, ImageIO is mostly just a wrapper around libjpeg and libpng, so why not just use them directly?</p> <p>Likely answer: <em>Because it's convenient and you might not care about the problems I am describing because you aren't some security nerd.</em></p> <h2 id="closing-thoughts"><a class="zola-anchor" href="#closing-thoughts" aria-label="Anchor link for: closing-thoughts" >#</a > Closing thoughts</h2> <p>I would like to thank John for sharing his thoughts and perspective. I do outright agree with some his points:</p> <ul> <li>Avoiding unnecessary dependencies may be better long-term for better compile times and less potential problems down the road. This is a tradeoff worth considering, but to me is a minor point.</li> <li>The bigger your dependency graph, the bigger your single-points of failure. I see this as a tradeoff for rapid development.</li> <li>Understand what makes sense for your team and your own threat model.</li> </ul> <p>But I disagree with some of the foundational arguments like:</p> <blockquote> <p>C’s advantage in terms of lack of dependencies (which can come with a lower attack surface in general) is large, but still doesn’t make it the right economic choice in the first place. It might still be wiser to choose Rust when all economic factors are considered, but the security argument is just not one I find compelling enough.</p> </blockquote> <p>The security risk of dependency use is simply not one I find compelling enough to select C over Rust, and certainly is not scarier than a buffer overflow. C lacking first-class support for dependencies should be considered a strong disadvantage since you can't even get good support for 1st-party dependencies.</p> <p>The benefits Rust provides <em>as a language</em> are already enough for a lot of people to select it over C -- myself included. A stellar default package manager and build tool makes it all the better to use. In my opinion "dependency usage" should be a minor footnote (and John explicitly says to weigh these kinds of factors yourself).</p> <p>Additionally, I'd argue that a critical mem safety issue is statistically way more likely to happen and can have critical impact even with modern mitigations. Some of the memory safety bugs that we're finding are old enough to drink in the US, showing that they can be very difficult to find. The <code>xz</code> backdoor required around 3 years worth of effort to attempt to sneak into the application and was discovered in less than a week after it went live.</p> <p>Don't live in fear of dependencies. Do what provides the least friction for you to accomplish the engineering you enjoy doing within your personal or team parameters.</p> 2023-11-08T00:00:00+00:00 2023-11-08T00:00:00+00:00 Unknown https://landaire.net/world-of-warships-deobfuscation/ <h2 id="background"><a class="zola-anchor" href="#background" aria-label="Anchor link for: background" >#</a > Background</h2> <p>This blog post is something I'm writing 3 years after my initial research/development, and about 2 years after I stopped actively working on the tool. Some of the details in this blog may not be fully accurate from time slippage and a lot of the initial research notes I made were lost or scattered in Discord conversations.</p> <p>I am only now writing this as the game is somewhat dead and the development team chooses to continually release content that makes gameplay worse. Submarines, hybrid battleships, aircraft carriers, and HE-spamming battleships with cruiser concealment that overmatch everything have led to a less enjoyable gameplay experience.</p> <p>The tool and techniques have been kept to a very tight circle so that data mining could continue without a potential cat-and-mouse game with the developer. I apologize to that community if that does occur.</p> <p>Two years ago I open-sourced a tool I called <a rel="external" href="https://github.com/landaire/unfuck"><code>unfuck</code></a> which I described as a "Python 2.7 bytecode <del>deobfuscator</del> unfucker". That tool was the result of the work I had done for World of Warships, but isn't capable of completely deobfuscating World of Warships files out-of-the-box. <code>unfuck</code> <a rel="external" href="https://news.ycombinator.com/item?id=28163546">made the rounds on HN</a> where I got supportive responses such as:</p> <blockquote> <p>Look, I get that edgy names are fun, but I'm happy that I will never have to use this tool for work, and I pity the fool who has to explain why "unfuck" was needed to solve a real problem.</p> </blockquote> <p>And:</p> <blockquote> <p>Ooof, really bad name. Makes me think the project or maintainer are immature...</p> </blockquote> <p>And someone respecting my licensing choices:</p> <blockquote> <p>Interesting dual licensing</p> </blockquote> <blockquote> <blockquote> <p>This project is dual-licensed under MIT and the ABSE ("Anyone But Stefan Esser") license. Note that an additional exception to the license is added, forbidding use/redistribution of said content to his trainees as well, but only when in a 5 mile radius from "Stefan Esser" or while holding any sort of (video)conference/chat with him.</p> </blockquote> <blockquote> <p>Note that this license will only be used as long as what would capstone decode / that one other arm64 ida plugin thing by i0n1c ("Stefan Esser") are not under the MIT license. afterwards, all exceptions are cleared and basically MIT license applies</p> </blockquote> </blockquote> <h2 id="what-is-world-of-warships"><a class="zola-anchor" href="#what-is-world-of-warships" aria-label="Anchor link for: what-is-world-of-warships" >#</a > What is World of Warships?</h2> <p>World of Warships (WoWs) is a free-to-play naval warfare multiplayer game released in 2015 by Wargaming and their Lesta Studio. It supports <a rel="external" href="https://web.archive.org/web/20230728140319/https://forum.worldofwarships.com/topic/174161-modapi-documentation/">multiple forms of modifications</a> via Adobe Flash for UI mods, XML/audio files for audio mods, custom ship textures, and Python for basically everything else. The Python APIs are somewhat limited, but can observe some in-game events that allow mod developers to surface information that the game doesn't show you by default.</p> <p>Unlike a lot of multiplayer games, WoWs uses an authoritative server model where each client is only receiving events that the server believes they <em>should</em> receive. For example, enemy ship locations and related information is only pushed down to clients when they are intended to be painted to your screen. There are no wall hacks and things like auto-aim are somewhat negated by player skill. That doesn't mean there aren't <a rel="external" href="https://v.youku.com/v_show/id_XNTgxNzIzNjAwNA==.html">illegal mods/cheats</a> that show you where to aim, where incoming artillery shells will land, etc.</p> <p>With all of that said, there is very little incentive to cheat in this game. A top-tier player in World of Warships will have the game sense and skill that comes within a close margin to someone playing with cheats. Therefore deobfuscation of scripts doesn't necessarily help with cheat development apart from illegal mods, but may help modders create better mods in general.</p> <h2 id="game-scripts"><a class="zola-anchor" href="#game-scripts" aria-label="Anchor link for: game-scripts" >#</a > Game Scripts</h2> <p>Although the World of Warships developers are mostly transparent about how game mechanics work, there have still been some mysteries. For example, the <a rel="external" href="https://www.reddit.com/r/WorldOfWarships/comments/l1dpzt/reverse_engineered_dispersion_ellipse_including/">algorithm for how the dispersion ellipse of your shells is calculated</a> and the <a rel="external" href="https://www.reddit.com/r/WorldOfWarships/comments/mesoun/reverse_engineered_how_sigma_works_with_dispersion/">dispersion of the shells themselves</a>.</p> <p>The format of match replay files is also <a rel="external" href="https://github.com/Monstrofil/replays_unpack">mostly documented</a> through reverse engineering work of a few researchers and from reviewing publicly available engine source code, but there are still unknown elements to the serialized format. For these reasons it's highly desirable to review the implementation code to unmask these mysteries.</p> <p>There has been at least one other individual who managed to deobfuscate and decompile the game scripts as far back as 2016. A World of Warships EU forum member by the name of <a rel="external" href="https://web.archive.org/web/20230802004250/https://forum.worldofwarships.eu/topic/55613-understanding-wgs-armor-penetration-curves/?page=3">"TehRick" / "ThiSpawn" made multiple posts</a> showing they had reverse engineered some of the C++ and Python logic. In fact, they explicitly called out the "Lesta anti-noob protection" obfuscated Python module name in one of their forum posts:</p> <p><img src="/img/wows-obfuscation/tehrick_1.png" alt="TehRick forum post" /></p> <p>In <a rel="external" href="https://www.reddit.com/user/ThiSpawn">a Reddit post</a> by the same username they also linked to a decompiled Python source file: <a rel="external" href="https://pastebin.com/y3Yk43Nd">https://pastebin.com/y3Yk43Nd</a>.</p> <p>Although TehRick seems to have disappeared soon after these posts, their code was still being referenced 4 years later!</p> <p><em>If you are TehRick / ThiSpawn feel free to reach out to me -- I would love to talk about your deobfuscator!</em></p> <h2 id="python-vm-primer"><a class="zola-anchor" href="#python-vm-primer" aria-label="Anchor link for: python-vm-primer" >#</a > Python VM Primer</h2> <p>When Python source code is executed, you may notice that a <code>.pyc</code> file is created. The Python interpreter doesn't interpret raw source code -- it first compiles that source code to an intermediate representation that can be fed to the VM as instructions.</p> <p>The VM is stack-based with some "registers" which are used for runtime storage of variables in pre-defined variable (or unnamed) slots. Almost every VM operation with the exception of loads/stores will directly modify values on the stack in some way. Variable registers cannot be modified in-place, and must first be put directly on the stack.</p> <p>Each object on the stack or in a variable slot is a deserialized Python object representing one of the following types:</p> <ul> <li>None</li> <li>StopIteration</li> <li>Ellipsis</li> <li>Bool</li> <li>Long</li> <li>Float</li> <li>Complex</li> <li>Bytes</li> <li>String</li> <li>Tuple</li> <li>List</li> <li>Dict</li> <li>Set</li> <li>FrozenSet</li> <li>Code</li> </ul> <p>Basically the raw primitive types you're probably used to when writing Python. All module definitions, functions, etc. are defined as <code>Code</code> objects that live in the <code>co_consts</code> section of their parent code object. Ditto with any lists, tuples, etc. that are hard coded in source code.</p> <h3 id="instructions"><a class="zola-anchor" href="#instructions" aria-label="Anchor link for: instructions" >#</a > Instructions</h3> <p>World of Warships uses Python 2.7 which has helpful documentation covering all instructions here: <a rel="external" href="https://docs.python.org/2/library/dis.html">https://docs.python.org/2/library/dis.html</a>.</p> <p>All instructions are at least 1 byte for the opcode and up to 3 bytes for instructions which have a 16-bit argument. For example, a <code>JUMP_ABSOLUTE 300</code> may be encoded as <code>0x71_012c</code> and a <code>POP_TOP</code> may be encoded as <code>0x01</code>.</p> <p>The WoWs developers did not do any opcode remapping, which is a fairly common obfuscation trick when an application has the flexibility of embedding the Python VM.</p> <h2 id="prior-work-on-deobfuscation"><a class="zola-anchor" href="#prior-work-on-deobfuscation" aria-label="Anchor link for: prior-work-on-deobfuscation" >#</a > Prior Work on Deobfuscation</h2> <h3 id="lpcvoid-s-findings"><a class="zola-anchor" href="#lpcvoid-s-findings" aria-label="Anchor link for: lpcvoid-s-findings" >#</a > lpcvoid's Findings</h3> <p>World of Warships' core game logic is contained within a <code>scripts.zip</code> file that is handled by a special loader. The loader reads compiled Python (files ending in <code>.pyc</code>) out of this zip archive and even uses a special technique of handling the serialized Python code object.</p> <p>This logic and deobfuscating the <em>first stage</em> of the matryoshka doll has already been described by <a rel="external" href="https://lpcvoid.com/blog/0007_wows_python_reversing/index.html">lpcvoid on his blog</a> and he even has a <a rel="external" href="https://lpcvoid.com/blog/0008_python_bytecode_dejunking/index.html">part 2</a> going into some of the junk instructions. I highly recommend reading his blog posts before continuing, as I will not rehash his hard work.</p> <p>To summarize his findings: the module loader deserializes the bytecode object and uses the bytecode as an encryption key for some ciphertext stored in const data. After decrypting the ciphertext, the plaintext is decompressed (zlib) and is executed as a code object.</p> <h3 id="rapid-analysis-of-bytecode-using-pyasm"><a class="zola-anchor" href="#rapid-analysis-of-bytecode-using-pyasm" aria-label="Anchor link for: rapid-analysis-of-bytecode-using-pyasm" >#</a > Rapid Analysis of Bytecode Using pyasm</h3> <p>I wanted to take a quick moment to call out that my friend @gabe_k wrote a tool for a CTF challenge he put together many years ago called <code>pyasm</code> that is specifically designed for this type of scenario. It can gracefully handle disassembling of bad instructions, and even supports recompiling a <code>.pyasm</code> file back to a serialized code object. I've forked the project and made some quality of life improvements/bug fixes here: <a rel="external" href="https://github.com/landaire/pyasm">https://github.com/landaire/pyasm</a>.</p> <p>Here is an example of what one of these <code>.pyc</code> files look like when converted to a <code>.pyasm</code> file (redacted since it's very long):</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span>code</span></span> <span class="giallo-l"><span> stack_size</span><span style="color: #F78C6C;"> 3</span></span> <span class="giallo-l"><span> flags</span><span style="color: #F78C6C;"> 66</span></span> <span class="giallo-l"><span> consts</span><span style="color: #F78C6C;"> 4</span></span> <span class="giallo-l"><span> none</span></span> <span class="giallo-l"><span> string</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">Wargaming.net | Lesta Studio</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"><span> string</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">an error occurred while loading module</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"><span> string</span><span style="color: #89DDFF;"> &quot;</span><span>\x9a\xb6\x85</span><span style="color: #C3E88D;">A.^lPGO0Z/</span><span>\xee</span><span style="color: #C3E88D;">Y3o</span><span>\x11</span><span style="color: #C3E88D;">$,FCPCi&amp;:U</span><span>\x04\t\x02</span><span style="color: #C3E88D;">IS</span><span>\x15</span><span style="color: #C3E88D;">5EJ</span><span>\x1a</span><span style="color: #C3E88D;">3</span><span>\x96\x1f</span><span style="color: #C3E88D;">=*</span><span>\xe2</span><span style="color: #C3E88D;">?</span><span>\xa9</span><span style="color: #C3E88D;">5</span><span>\xa5\t</span><span style="color: #C3E88D;">f</span><span>\x13</span><span style="color: #C3E88D;">hl</span><span>\x92</span><span style="color: #C3E88D;">,</span><span>\x12\x14</span><span style="color: #C3E88D;">T</span><span>\x06\xc8</span><span style="color: #C3E88D;">o:</span><span>\x08\x16\xd4\xfd\xd0\x8c\xc1</span><span style="color: #C3E88D;">T</span><span>\xa0\x9b\xe5</span><span style="color: #C3E88D;">b</span><span>\xc3</span><span style="color: #C3E88D;">%</span><span>\x0e</span><span style="color: #C3E88D;">D</span><span>\x8e\x85\xfb</span><span style="color: #C3E88D;">%</span><span>\x83\x9b\xff</span><span style="color: #C3E88D;">L</span><span>\r</span><span style="color: #C3E88D;">H</span><span>\r</span><span style="color: #C3E88D;">uk</span><span>\x14\xf2</span><span style="color: #C3E88D;">=</span><span>\xd7\x86\t\x13\x0b</span><span style="color: #C3E88D;">k</span><span>\x83</span><span style="color: #C3E88D;">HL</span><span>\t</span><span style="color: #C3E88D;">H</span><span>\xbf\x07</span><span style="color: #C3E88D;">6IM</span><span>\xa1\x0b</span><span style="color: #C3E88D;">TP</span><span>\xdc\xc7</span><span style="color: #C3E88D;">&lt;</span><span>\n\x08\x8c\xdd\x05\&#39;\x19\xf0\xa2</span><span style="color: #C3E88D;">FL</span><span>\t\xbb\xd7\x15</span><span style="color: #C3E88D;">=</span><span>\xd8\xc3\xba</span><span style="color: #C3E88D;">3</span><span>\x19\x0f</span><span style="color: #C3E88D;">k</span><span>\xd9\xe4\xf0\xbf\x9c</span><span style="color: #C3E88D;">?</span><span>\n</span><span style="color: #C3E88D;">TJP</span><span>\xc1\xcc\x17\xce\x04\x18\xfe</span><span style="color: #C3E88D;">98</span><span>\x0e\x1d\x86\xdc\xab\x19\xe6</span><span style="color: #C3E88D;">)M,</span><span>\x0e\xd4\xd8\xd4\x02\xb1\x0b</span><span style="color: #C3E88D;">(&amp;;(o_</span><span>\x1c\x1b\x16\xd8\xe1</span><span style="color: #C3E88D;">!-</span><span>\xad</span><span style="color: #C3E88D;">w</span><span>\xda</span><span style="color: #C3E88D;">%</span><span>\xd0</span><span style="color: #C3E88D;">/</span><span>\xa2\x1a\x08</span><span style="color: #C3E88D;">*7</span><span>\xc7\x9d\x10</span><span style="color: #C3E88D;">7</span><span>\x0f\xe4\xcc\x1c\x0c</span><span style="color: #C3E88D;">)...</span></span> <span class="giallo-l"><span> end</span></span> <span class="giallo-l"><span> names</span><span style="color: #F78C6C;"> 1</span></span> <span class="giallo-l"><span> string</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">locals</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"><span> end</span></span> <span class="giallo-l"><span> instructions</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F78C6C;">255</span><span style="color: #89DDFF;">&gt;</span><span style="color: #F78C6C;"> 65532</span></span> <span class="giallo-l"><span> UNARY_INVERT</span></span> <span class="giallo-l"><span> SETUP_EXCEPT</span><span style="color: #F78C6C;"> 15</span></span> <span class="giallo-l"><span> LOAD_CONST</span><span style="color: #F78C6C;"> 1</span><span style="color: #464B5D;font-style: italic;"> # Wargaming.net | Lesta Studio</span></span> <span class="giallo-l"><span> LOAD_NAME</span><span style="color: #F78C6C;"> 0</span><span style="color: #464B5D;font-style: italic;"> # locals</span></span> <span class="giallo-l"><span> CALL_FUNCTION</span><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"><span> DUP_TOP</span></span> <span class="giallo-l"><span> EXEC_STMT</span></span> <span class="giallo-l"><span> POP_BLOCK</span></span> <span class="giallo-l"><span> JUMP_FORWARD</span><span style="color: #F78C6C;"> 12</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> *</span><span> POP_TOP</span></span> <span class="giallo-l"><span> LOAD_CONST</span><span style="color: #F78C6C;"> 2</span><span style="color: #464B5D;font-style: italic;"> # an error occurred while loading module</span></span> <span class="giallo-l"><span> PRINT_ITEM</span></span> <span class="giallo-l"><span> PRINT_NEWLINE</span></span> <span class="giallo-l"><span> JUMP_FORWARD</span><span style="color: #F78C6C;"> 1</span></span> <span class="giallo-l"><span> END_FINALLY</span></span> <span class="giallo-l"><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0</span><span style="color: #464B5D;font-style: italic;"> # None</span></span> <span class="giallo-l"><span> RETURN_VALUE</span></span> <span class="giallo-l"><span> DELETE_NAME</span><span style="color: #F78C6C;"> 23519</span></span> <span class="giallo-l"><span> UNARY_NOT</span></span> <span class="giallo-l"><span> DELETE_NAME</span><span style="color: #F78C6C;"> 23438</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> &lt;</span><span style="color: #F78C6C;">216</span><span style="color: #89DDFF;">&gt;</span><span style="color: #F78C6C;"> 64603</span></span> <span class="giallo-l"><span> INPLACE_OR</span></span> <span class="giallo-l"><span> UNARY_NOT</span></span> <span class="giallo-l"><span> DELETE_NAME</span><span style="color: #F78C6C;"> 23308</span></span> <span class="giallo-l"><span>...</span></span> <span class="giallo-l"><span>end</span></span></code></pre> <p>Throughout my analysis of the obfuscation tricks I frequently leaned on pyasm for manually reordering/deleting instructions in order to figure out which sections were causing hiccups for the decompiler.</p> <h2 id="wows-generic-obfuscation-tricks"><a class="zola-anchor" href="#wows-generic-obfuscation-tricks" aria-label="Anchor link for: wows-generic-obfuscation-tricks" >#</a > WoWs - Generic Obfuscation Tricks</h2> <h3 id="1-bogus-instructions"><a class="zola-anchor" href="#1-bogus-instructions" aria-label="Anchor link for: 1-bogus-instructions" >#</a > 1: Bogus Instructions</h3> <p>After decrypting and decompressing the 2nd stage code object, you'll find that tools like <a rel="external" href="https://pypi.org/project/uncompyle6/">uncompyle6</a> fail to decompile the bytecode to source with an error. In his 2nd blog post lpcvoid covered one of Lesta's tricks of inserting bogus instructions that contain completely invalid opcodes which confuse these types of tools. One thing not mentioned is that these instructions can also be valid but really mess up the VM's stack and cause static analysis to enter a bad state.</p> <p>Unfortunately, tools like uncompyle are mostly intended to run on Python bytecode generated cleanly by a Python VM. Invalid opcodes are definitely not supported, and neither are invalid instruction operands. This trick is the most straightforward for causing a decompiler to choke.</p> <h3 id="2-stack-reordering"><a class="zola-anchor" href="#2-stack-reordering" aria-label="Anchor link for: 2-stack-reordering" >#</a > 2: Stack Reordering</h3> <p>Different Python code patterns -- even if semantically the same -- have very slight nuance in the emitted instructions. Tools like uncompyle in some cases rely on fragile instruction patterns for mapping to source code and will easily encounter errors when a wonky pattern is encountered.</p> <p>The following is a completely made-up example, but consider the following instruction sequence:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span> 224 LOAD_CONST 0</span></span> <span class="giallo-l"><span> 227 MAKE_FUNCTION_0 0 None</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> L. 351 230 STORE_FAST 6 &#39;f333&#39;</span></span></code></pre> <p>This loads some code object from the const section, makes a function, and stores that function in <code>co_varnames[6]</code>. This would typically result in something like the following Python code:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> f333</span><span style="color: #89DDFF;">():</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> pass</span></span></code></pre> <p>Now imagine that the instructions were rewritten to push and immediately pop a value to the stack randomly in the middle of creating the function:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span> 224 LOAD_CONST 0</span></span> <span class="giallo-l"><span> 227 MAKE_FUNCTION_0 0 None</span></span> <span class="giallo-l"><span> ... LOAD_CONST None</span></span> <span class="giallo-l"><span> ... POP_TOP</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> L. 351 230 STORE_FAST 6 &#39;f333&#39;</span></span></code></pre> <p>The <code>LOAD_CONST</code>/<code>MAKE_FUNCTION</code>/<code>STORE_FAST</code> pattern is broken by instructions that are effectively a no-op, and the signatures used by the decompilers are now broken.</p> <h3 id="3-const-predicates"><a class="zola-anchor" href="#3-const-predicates" aria-label="Anchor link for: 3-const-predicates" >#</a > 3: Const Predicates</h3> <p>Related to trick #2, instruction patterns may be broken by inserting conditions that evaluate to a constant value. One side of the branch may bring you to some garbage instructions (trick #1) and on the other side of the branch will be the next set of valid code to be executed.</p> <p>Consider the following pseudocode:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #F78C6C;"> 224</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 227</span><span> MAKE_FUNCTION_0</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #82AAFF;"> len</span><span style="color: #89DDFF;">({</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">} &amp; {</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">}) &gt;</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> L</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;"> 351</span><span style="color: #F78C6C;"> 230</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">f333</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> ... POP_TOP</span></span> <span class="giallo-l"><span> ... POP_TOP</span></span> <span class="giallo-l"><span> ... POP_TOP</span></span> <span class="giallo-l"><span> ... RETURN_VALUE</span></span> <span class="giallo-l"></span></code></pre> <p>In the middle of defining a function we've inserted a check to see if two sets overlap, and if so we store the function in variable slot #6 (<code>STORE_FAST 6</code>). If the sets do not overlap, we go down the bogus code path that screws up stack state.</p> <h3 id="4-variable-renaming"><a class="zola-anchor" href="#4-variable-renaming" aria-label="Anchor link for: 4-variable-renaming" >#</a > 4: Variable Renaming</h3> <p>This one really doesn't impact tools but definitely impacts any end user who manages to partially decompile anything: local variables and function names (in the serialized function object) are renamed to things that are illegal in Python source code such as keywords, operators, and a combination of these things with spaces. Function objects are typically renamed to be very large unique numbers. Here is a real example from when I first set on this project:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> f333</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">impf</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> f222</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> continue</span><span> r ; </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 66</span></span> <span class="giallo-l"><span> h</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> ] </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 87</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> assert</span><span> } </span><span style="color: #89DDFF;font-style: italic;">break</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 538</span></span> <span class="giallo-l"><span> l</span><span style="color: #89DDFF;font-style: italic;"> else try</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 199</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> continue</span><span> r ; </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 66</span></span> <span class="giallo-l"><span> h</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> ] </span><span style="color: #89DDFF;">-=</span><span style="color: #F78C6C;"> 538</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> assert</span><span> } </span><span style="color: #89DDFF;font-style: italic;">break</span><span style="color: #89DDFF;"> *=</span><span style="color: #F78C6C;"> 199</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> not</span><span style="color: #89DDFF;font-style: italic;"> continue</span><span> r ; </span><span style="color: #89DDFF;">+</span><span> h</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> ] </span><span style="color: #89DDFF;">&gt;=</span><span style="color: #89DDFF;font-style: italic;"> assert</span><span> } </span><span style="color: #89DDFF;font-style: italic;">break</span><span style="color: #89DDFF;"> -</span><span> h</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> ] </span><span style="color: #89DDFF;">+</span><span> l</span><span style="color: #89DDFF;font-style: italic;"> else try</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span> k</span><span style="color: #89DDFF;font-style: italic;"> try</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 113</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span> k</span><span style="color: #89DDFF;font-style: italic;"> try</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> = None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 2</span><span> c</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 22</span></span> <span class="giallo-l"><span> v</span><span style="color: #89DDFF;font-style: italic;"> as</span><span style="color: #C792EA;"> lambda</span><span style="font-style: italic;"> n</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 433</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 6</span><span> p</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 147</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span> k</span><span style="color: #89DDFF;font-style: italic;"> try</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> +=</span><span style="color: #F78C6C;"> 113</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 2</span><span> c</span><span style="color: #89DDFF;"> -=</span><span style="color: #F78C6C;"> 433</span></span> <span class="giallo-l"><span> v</span><span style="color: #89DDFF;font-style: italic;"> as</span><span style="color: #C792EA;"> lambda</span><span> n </span><span style="color: #89DDFF;">*</span><span>= 147</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> not *</span><span> k</span><span style="color: #89DDFF;font-style: italic;"> try</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span> c</span><span style="color: #89DDFF;"> &gt;=</span><span> v</span><span style="color: #89DDFF;font-style: italic;"> as</span><span style="color: #C792EA;"> lambda</span><span> n - 2 c + 6 </span><span style="font-style: italic;">p</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> pass</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (</span><span>j</span><span style="color: #89DDFF;"> in, % /</span><span>= p</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> { +,</span><span> y</span><span style="color: #89DDFF;"> [, +</span><span>= </span><span style="color: #89DDFF;font-style: italic;">import</span><span> r) = </span><span style="color: #89DDFF;">()</span></span></code></pre><h3 id="5-implicit-returns"><a class="zola-anchor" href="#5-implicit-returns" aria-label="Anchor link for: 5-implicit-returns" >#</a > 5: Implicit Returns</h3> <p>The <code>RETURN_VALUE</code> instruction in Python returns the value located at the top of the VM's stack. Python will, as far as I'm aware, always emit a <code>RETURN_VALUE</code> with the immediately preceding instruction setting up the value to be returned. For example:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>LOAD_FAST 0</span></span> <span class="giallo-l"><span>RETURN_VALUE</span></span></code></pre> <p>This loads the value stored at <code>co_varnames[0]</code> to the top of stack and returns it. Splitting up these instructions will break the pattern decompilers use to transform this into <code>return varname</code>. Imagine if the in the following code <code>tos</code> literally represented the top of the stack (and not a variable slot):</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">if</span><span> condition</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> tos</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> get_return_value</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> tos</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> other_return_value</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">return</span></span></code></pre> <p>This would create the following control flow:</p> <p><img src="/img/wows-obfuscation/implicit_return.svg" alt="Implicit return control flow" /></p> <p>In this scenario the instruction immediately preceding the <code>RETURN_VALUE</code> isn't the instruction setting up the value -- it's likely some type of <code>JUMP</code> instruction or quite possibly anything else!</p> <p>It's not clear to me if this is more of a code optimization trick, or an obfuscation trick, but really what's the difference?</p> <h3 id="6-weird-jumps"><a class="zola-anchor" href="#6-weird-jumps" aria-label="Anchor link for: 6-weird-jumps" >#</a > 6: Weird Jumps</h3> <p>Something else I noticed was that some jumps were just... weird? There were randomish-looking <code>JUMP_FORWARD N</code> instructions that didn't make sense (but usually were just jumping over garbage instructions), and were hard to disambiguate from those legitimately generated by the Python compiler. For example, the following Python code may insert a <code>JUMP_FORWARD 0</code> (jump to the next instruction):</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">if</span><span> !foo</span><span style="color: #89DDFF;">:</span><span style="color: #464B5D;font-style: italic;"> # POP_JUMP_IF_FALSE</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # EMIT THIS CODE FIRST</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> foo</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> print</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">target</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> print</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">else</span><span style="color: #89DDFF;">&quot;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># AFTER THE ABOVE BLOCK IS EMITTED, INSERT JUMP_FORWARD 0</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # EMIT BLOCK</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> print</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">main target</span><span style="color: #89DDFF;">&quot;</span></span></code></pre> <p>This probably doesn't make much sense, so let me show a real example of the control flow at an instruction level:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;unnecessary_jump.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;unnecessary_jump.390a96f8be78f4f2.png" alt="" width="455" height="500" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>Do you notice the <code>JUMP_FORWARD 0</code> in the left-center node? It's completely unnecessary! The layout of these instructions when serialized is: <code>POP_TOP</code>, <code>POP_TOP</code>, <code>POP_TOP</code>, <code>JUMP_FORWARD 0</code>, <code>LOAD_FAST 2</code>. The execution sequence of these instructions is exactly the same as well. You could remove the <code>JUMP_FORWARD 0</code> and nothing of value would be lost. So why is it there?</p> <p>It's just a side effect of how the Python compiler does codegen:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> visitIf</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;font-style: italic;">self</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> node</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> end</span><span style="color: #89DDFF;"> =</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">newBlock</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span> numtests</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> len</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">node</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">tests</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span> i</span><span style="color: #89DDFF;font-style: italic;"> in</span><span style="color: #82AAFF;"> range</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">numtests</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> test</span><span style="color: #89DDFF;">,</span><span> suite</span><span style="color: #89DDFF;"> =</span><span> node</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">tests</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #82AAFF;"> is_constant_false</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">test</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> #</span><span style="color: #89DDFF;font-style: italic;"> XXX</span><span style="color: #464B5D;font-style: italic;"> will need to check generator stuff here</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> continue</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">set_lineno</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">test</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">visit</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">test</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> nextTest</span><span style="color: #89DDFF;"> =</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">newBlock</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">emit</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">POP_JUMP_IF_FALSE</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #82AAFF;"> nextTest</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">nextBlock</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">visit</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">suite</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">emit</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">JUMP_FORWARD</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #82AAFF;"> end</span><span style="color: #89DDFF;">)</span><span style="color: #464B5D;font-style: italic;"> # &lt;--- UNCONDITIONALLY ADD `JUMP_FORWARD`</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">startBlock</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">nextTest</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> node</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">else_</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">visit</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">node</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">else_</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">nextBlock</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">end</span><span style="color: #89DDFF;">)</span></span></code></pre> <p>Sometimes that <code>JUMP_FORWARD</code> isn't jumping 0 bytes and may be some value that jumps over garbage instructions (and was inserted by the obfuscator). Other times this <code>JUMP_FORWARD</code> comes immediately after some other unconditional control flow instruction and will never be executed by a Python VM (or picked up by my instruction decoder).</p> <p>So why can't it be removed if it's usually unnecessary? Unfortunately uncompyle relies on the presence of the <code>JUMP_FORWARD</code> to determine what type of condition has occurred.</p> <h3 id="7-generally-weird-control-flow"><a class="zola-anchor" href="#7-generally-weird-control-flow" aria-label="Anchor link for: 7-generally-weird-control-flow" >#</a > 7: Generally Weird Control Flow</h3> <p>This one is hard to express without sounding psychotic, but let me just say: <strong>fuck loops, fuck exception handlers</strong>. If you combine the weird jumps and false predicates in loops, you may be able to generate some code that looks like a loop but is only ever executed for one iteration before just jumping to some other part of the code because of a const predicate.</p> <p>And what about exception handlers that intentionally raise an exception that's supposed to be caught to trigger the "good" code path?</p> <p>And what about nesting exceptions inside of loops with const predicates?</p> <p>After encountering such a scenario I was starting to feel like this:</p> <p><img src="/img/wows-obfuscation/charlie.jpg" alt="Meme of Charlie&#39;s conspiracy theory board from It&#39;s Always Sunny in Philadelphia" /></p> <h2 id="deobfuscation"><a class="zola-anchor" href="#deobfuscation" aria-label="Anchor link for: deobfuscation" >#</a > Deobfuscation</h2> <p>Deobfuscating everything together requires a solid framework that can achieve:</p> <ol> <li>Parsing all instructions in a manner that doesn't break on bogus opcodes</li> <li>Evaluating conditions to determine used/unused code</li> <li>Restoring instruction ordering</li> <li>Restoring variable names</li> <li>Deoptimizing code (implicit returns)</li> <li>Normalize weird control flow</li> </ol> <p>...so yeah the natural path I took here was to rebuild the Python VM in Rust in 2 months and write somewhat spaghetti code that revisiting two years later has me thinking "wtf was I smoking?".</p> <h3 id="avoiding-bad-instructions"><a class="zola-anchor" href="#avoiding-bad-instructions" aria-label="Anchor link for: avoiding-bad-instructions" >#</a > Avoiding Bad Instructions</h3> <p>Parsing instructions is fairly straightforward: an instruction with no arguments is 1 byte (opcode), and an instruction with an argument is 3 bytes (opcode + uint16). You start parsing instructions by reading from offset 0 in the <code>co_code</code> section of the code object and just continue this in a loop.</p> <p>Decompilers and disassemblers tend to read instructions <strong>linearly</strong> -- i.e. if the first instruction is <code>JUMP_ABSOLUTE 200</code> it's going to disassemble <code>JUMP_ABSOLUTE 200</code> from offset 0, then disassemble the next instruction from offset 3. This isn't great because you will run into a bunch of bogus instructions that can be avoided by simply creating a decoder that understands control flow.</p> <p>To mitigate this in my deobfuscator I instead add instruction offsets to a queue. A <code>JUMP_ABSOLUTE 200</code> will add offset 200 as next in the queue, and a <code>JUMP_IF_{TRUE,FALSE} &lt;TARGET&gt;</code> will add the offset for the target <strong>and</strong> the next instruction to the queue.</p> <p>Along the way I also compile an instruction graph where each node represents a basic block with edges to other basic blocks:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;stage2_obfuscated.svg" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;stage2_obfuscated.svg" width="500" height="500" alt="" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <h3 id="removing-const-predicates"><a class="zola-anchor" href="#removing-const-predicates" aria-label="Anchor link for: removing-const-predicates" >#</a > Removing const predicates</h3> <p>Remember how I said I rebuilt the Python VM in Rust? <a rel="external" href="https://github.com/landaire/unfuck/blob/de4c631aa725ff8da5aed8e718117b607c009c3d/src/smallvm.rs#L130">I was serious, and it was <em>just</em> to solve this problem.</a> I do what I've called "partial execution". Certain builtin functions are handled, and an individual code object's opcodes are executed to obtain a snapshot of the VM's stack and perform taint tracking. The main function signature is:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// Executes an instruction, altering the input state and returning an error</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// when the instruction cannot be correctly emulated. For example, some complex</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">/// instructions are not currently supported at this time.</span></span> <span class="giallo-l"><span style="color: #F78C6C;">pub fn</span><span style="color: #82AAFF;"> execute_instruction</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">O</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Opcode</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">Mnemonic</span><span style="color: #89DDFF;"> =</span><span> py27</span><span style="color: #89DDFF;">::</span><span style="color: #FFCB6B;">Mnemonic</span><span style="color: #89DDFF;">&gt;,</span><span style="color: #FFCB6B;"> F</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> T</span><span style="color: #89DDFF;">&gt;(</span></span> <span class="giallo-l"><span> instr</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #FFCB6B;">Instruction</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">O</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span> code</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> Arc</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">Code</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span> stack</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span style="color: #FFCB6B;"> VmStack</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">T</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span> vars</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span style="color: #FFCB6B;"> VmVars</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">T</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span> names</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span style="color: #FFCB6B;"> VmNames</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">T</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span> globals</span><span style="color: #89DDFF;">: &amp;</span><span style="color: #C792EA;">mut</span><span style="color: #FFCB6B;"> VmNames</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">T</span><span style="color: #89DDFF;">&gt;,</span></span> <span class="giallo-l"><span> names_loaded</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> LoadedNames</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> mut</span><span> function_callback</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> F</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> access_tracking</span><span style="color: #89DDFF;">:</span><span style="color: #FFCB6B;"> T</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #89DDFF;">) -&gt;</span><span style="color: #FFCB6B;"> Result</span><span style="color: #89DDFF;">&lt;(),</span><span style="color: #FFCB6B;"> Error</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">O</span><span style="color: #89DDFF;">&gt;&gt;;</span></span></code></pre> <p>Brief rundown of all inputs:</p> <ul> <li><code>instr</code>: the instruction to be executed</li> <li><code>code</code>: the deserialized Python code object for which the instruction belongs to</li> <li><code>stack</code>: current snapshot of the VM stack</li> <li><code>vars</code>: all variable slots and their current values</li> <li><code>names</code>: map to a <code>vars</code> slot</li> <li><code>globals</code>: similar to <code>vars</code> but on a global level</li> <li><code>names_loaded</code>: modules imported</li> <li><code>function_callback</code>: callback for <code>CALL_FUNCTION</code> instruction and can be used for handling builtins or calling other code objects if desired</li> <li><code>access_tracking</code>: data to associate with a VM stack value</li> </ul> <p>When an instruction is executed and the stack is modified, the modified stack value will represent a tuple of <code>(Option&lt;value&gt;, [access_tracking])</code>. The first value in the tuple is the value that resulted from executing an instruction if it could be determined, otherwise <code>None</code>. The second value will represent some metadata for looking up instructions which contributed to generating/modifying that stack value (a basic block index + instruction index).</p> <p>The execution loop for a basic block looks something like this:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">for</span><span> instruction</span><span style="color: #89DDFF;font-style: italic;"> in</span><span> basic_block</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> instruction</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_conditional_jump</span><span style="color: #89DDFF;">():</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> tos</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">].</span><span style="color: #82AAFF;">is_some</span><span style="color: #89DDFF;">():</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # Determine the truthiness of top-of-stack.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> #</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # Based off of the opcode (JUMP_IF_{TRUE,FALSE}), determine which</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # branch is never taken and remove the edge from this BB to the BB</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # we will never branch to.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> #</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # We also iterate tos[1] and remove all of the instructions which</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # contributed to tos[0].</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> execute_instruction</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">instruction</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> ...</span><span style="color: #89DDFF;">)</span></span></code></pre> <p>This will effectively <strong>remove</strong> instructions related to const conditions and (usually) the basic block not taken from the graph. These inserted, fake basic blocks are implicitly removed since they become orphaned from the main code graph.</p> <p>There are some issues with this approach:</p> <ol> <li>I need to correctly implement almost all VM instructions</li> <li>Large traces will balloon in computation complexity and memory</li> <li>Complex arithmetic or unsupported instructions will immediately stop the VM, which leaves code only partially deobfuscated</li> </ol> <h3 id="restoring-variable-names"><a class="zola-anchor" href="#restoring-variable-names" aria-label="Anchor link for: restoring-variable-names" >#</a > Restoring Variable Names</h3> <p>Variable names are unfortunately always lost. Instead of "restoring", I simply iterate and replace odd var names with the following script:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> fix_varnames</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">varnames</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #C792EA;"> global</span><span> unknowns</span></span> <span class="giallo-l"><span> newvars</span><span style="color: #89DDFF;"> = []</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span> var</span><span style="color: #89DDFF;font-style: italic;"> in</span><span> varnames</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> var</span><span style="color: #89DDFF;"> =</span><span> var</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">strip</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span> unallowed_chars</span><span style="color: #89DDFF;"> = &#39;</span><span style="color: #C3E88D;">=!@#$%^&amp;*()&quot;</span><span>\&#39;</span><span style="color: #C3E88D;">/, </span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span> banned_char</span><span style="color: #89DDFF;"> = False</span></span> <span class="giallo-l"><span> banned_words</span><span style="color: #89DDFF;"> = [&#39;</span><span style="color: #C3E88D;">assert</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">in</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">continue</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">break</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">for</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">def</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">as</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">elif</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">else</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">for</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">from</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">global</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">if</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">import</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">is</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">lambda</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">not</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">or</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">pass</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">print</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">return</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">while</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">with</span><span style="color: #89DDFF;">&#39;]</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span> c</span><span style="color: #89DDFF;font-style: italic;"> in</span><span> unallowed_chars</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> c</span><span style="color: #89DDFF;"> in</span><span> var</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> banned_char</span><span style="color: #89DDFF;"> = True</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> not</span><span> banned_char</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> var</span><span style="color: #89DDFF;"> in</span><span> banned_words</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> banned_char</span><span style="color: #89DDFF;"> = True</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> banned_char</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> newvars</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">append</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">unknown_</span><span style="color: #F78C6C;">{0}</span><span style="color: #89DDFF;">&#39;.</span><span style="color: #82AAFF;">format</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknowns</span><span style="color: #89DDFF;">))</span></span> <span class="giallo-l"><span> unknowns</span><span style="color: #89DDFF;"> +=</span><span style="color: #F78C6C;"> 1</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> newvars</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">append</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">var</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #FFCB6B;"> tuple</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">newvars</span><span style="color: #89DDFF;">)</span></span></code></pre> <p>Pretty simple replacement of illegal-looking variable name with <code>unknown_N</code>.</p> <h3 id="restoring-function-names"><a class="zola-anchor" href="#restoring-function-names" aria-label="Anchor link for: restoring-function-names" >#</a > Restoring Function Names</h3> <p>Unlike var names, function names generally <em>can</em> be restored due to an oversight in the obfuscator. When a function is defined in a module, the bytecode for setting it up looks like the following:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>LOAD_CONST &lt;CONST_INDEX&gt; # Load the code object</span></span> <span class="giallo-l"><span>MAKE_FUNCTION # Take the loaded code object and tell the interpreter to turn it into a function</span></span> <span class="giallo-l"><span>STORE_NAME &lt;NAME_INDEX&gt; # Store the created function at the specified named index</span></span></code></pre> <p><code>NAME_INDEX</code> corresponds to a <code>name</code> string value located in the <code>co_names</code> array in the code object. The code object for the function also contains its name, which is generally what's used by decompilers to label a function. I leveraged this in my instruction handler loop by checking:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">for</span><span> instruction</span><span style="color: #89DDFF;font-style: italic;"> in</span><span> basic_block</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> instruction</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">is_store_name</span><span style="color: #89DDFF;">():</span></span> <span class="giallo-l"><span> accessed_instructions</span><span style="color: #89DDFF;"> =</span><span> tos</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> accessed_instructions</span><span style="color: #89DDFF;">[-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">].</span><span style="color: #82AAFF;">is_make_function</span><span style="color: #89DDFF;">():</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # change the function name on the code object to match what this</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> # scope sees as the function name</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> fix_function_name</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">tos</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">],</span><span style="color: #82AAFF;"> co</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">co_names</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">instruction</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">argument</span><span style="color: #89DDFF;">])</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> execute_instruction</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">instruction</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> ...</span><span style="color: #89DDFF;">)</span></span></code></pre> <p>Strictly speaking these names aren't even necessary for the VM to run the code since they're really only present for debugging purposes. I suspect that this is either an oversight by Lesta or they deliberately left these in for debugging crashes on clients (although I'm not certain if they send back Python crash reports). Maybe there's something I don't know though.</p> <h3 id="deoptimizing-code"><a class="zola-anchor" href="#deoptimizing-code" aria-label="Anchor link for: deoptimizing-code" >#</a > Deoptimizing Code</h3> <p>I <em>think</em> that <code>RETURN_VALUE</code> is really the only case I had to correct, and it was a fairly simple fix.</p> <ol> <li>Look for basic blocks that contain only a <code>RETURN_VALUE</code> instruction</li> <li>For each incoming edge, replace the final instruction in the basic block to be <code>RETURN_VALUE</code></li> <li>Remove the basic block from step 1</li> </ol> <p>The example control flow for return values then provided <a href="https://landaire.net/world-of-warships-deobfuscation/#5-implicit-returns">in the section about implicit returns</a> will now look like this:</p> <p><img src="/img/wows-obfuscation/implicit_return_fix.svg" alt="Implicit return fixups" /></p> <h3 id="fixing-bad-instructions"><a class="zola-anchor" href="#fixing-bad-instructions" aria-label="Anchor link for: fixing-bad-instructions" >#</a > Fixing Bad Instructions</h3> <p>There are some scenarios where code paths containing bad instructions can't be outright removed. Usually it's because a condition couldn't be proven to be a const predicate, or there was some other factor involved that led to it not being removed. Even though I <em>know</em> they're bad, I'm hesitant to outright outright remove the nodes and conditions as gaps in the VM and data mixing may lead to incorrect instruction removal.</p> <p>To correct these basic blocks I calculate the depth of the stack at the location of the bad instruction, insert enough <code>POP_TOP</code> instructions to clear out the stack, and finally put a <code>LOAD_CONST None</code> and <code>RETURN_VALUE</code> at the end of the basic block to force a <code>return None</code>.</p> <h2 id="the-rest-of-the-matryoshka-doll"><a class="zola-anchor" href="#the-rest-of-the-matryoshka-doll" aria-label="Anchor link for: the-rest-of-the-matryoshka-doll" >#</a > The Rest of The Matryoshka Doll</h2> <p>There are four distinct "stages" to loading the Python module, two of which we've already loosely discussed from lpcvoid's blog (encrypted code, and the compressed code).</p> <h3 id="stage-2-decompressed-code"><a class="zola-anchor" href="#stage-2-decompressed-code" aria-label="Anchor link for: stage-2-decompressed-code" >#</a > Stage 2 - Decompressed Code</h3> <p>The following is an example stage 3 payload:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span> sys</span><span style="color: #89DDFF;">,</span><span> marshal</span><span style="color: #89DDFF;">,</span><span> copy_reg</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">if</span><span style="color: #82AAFF;"> id</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">marshal</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">loads</span><span style="color: #89DDFF;">) !=</span><span> copy_reg</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">mmId</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span></span> <span class="giallo-l"><span>code</span><span style="color: #89DDFF;"> =</span><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">_getframe</span><span style="color: #89DDFF;">().</span><span style="color: #F07178;">f_back</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">f_code</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">co_code</span></span> <span class="giallo-l"><span>impf</span><span style="color: #89DDFF;"> = (</span><span style="color: #82AAFF;">isinstance</span><span style="color: #89DDFF;">(</span><span>__builtins__</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> dict</span><span style="color: #89DDFF;">) or</span><span> __builtins__</span><span style="color: #89DDFF;">).</span><span style="color: #F07178;">__import__</span><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;font-style: italic;"> else</span><span> __builtins__</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">__import__</span><span style="color: #89DDFF;">&#39;]</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">if</span><span style="color: #89DDFF;"> not</span><span style="color: #82AAFF;"> hasattr</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">impf</span><span style="color: #89DDFF;">, &#39;</span><span style="color: #C3E88D;">func_code</span><span style="color: #89DDFF;">&#39;) or</span><span style="color: #82AAFF;"> hash</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">impf</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">func_code</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">co_code</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 1236377808</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #82AAFF;"> hasattr</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">impf</span><span style="color: #89DDFF;">, &#39;</span><span style="color: #C3E88D;">func_code</span><span style="color: #89DDFF;">&#39;) and</span><span style="color: #FFCB6B;"> type</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">impf</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">func_globals</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">common</span><span style="color: #89DDFF;">&#39;]) !=</span><span style="color: #FFCB6B;"> type</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">marshal</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">loads</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span> f123--</span><span style="color: #89DDFF;">-</span><span> This code section failed</span><span style="color: #89DDFF;">:</span><span> --</span><span style="color: #89DDFF;">-</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 0</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">common</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 3</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">arg</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 6</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">kw</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 9</span><span> CALL_FUNCTION_VAR_KW_0</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 12</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 15</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">type</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 18</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 21</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 24</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">__name__</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 27</span><span> LOAD_CONST</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">module</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 30</span><span> COMPARE_OP</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> ==</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 33</span><span> POP_JUMP_IF_FALSE</span><span style="color: #F78C6C;"> 155</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 155</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 36</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">hasattr</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 39</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 42</span><span> LOAD_CONST</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">__file__</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 45</span><span> CALL_FUNCTION_2</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 48</span><span> POP_JUMP_IF_FALSE</span><span style="color: #F78C6C;"> 155</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 155</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 51</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">hasattr</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 54</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 57</span><span> LOAD_CONST</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">gCPLBx86</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 60</span><span> CALL_FUNCTION_2</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 63</span><span> UNARY_NOT</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 64</span><span> POP_JUMP_IF_TRUE</span><span style="color: #F78C6C;"> 82</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 82</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 67</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 70</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">gCPLBx86</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 73</span><span> LOAD_CONST</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">1663084375</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 76</span><span> COMPARE_OP</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> !=</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 79_0</span><span> COME_FROM</span><span style="color: #F78C6C;"> 64</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">64</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 79</span><span> POP_JUMP_IF_FALSE</span><span style="color: #F78C6C;"> 155</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 155</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 82</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">arg</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 85</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 88</span><span> BINARY_SUBSCR</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 89</span><span style="color: #82AAFF;"> LOAD_CONST</span><span style="color: #89DDFF;"> (&#39;</span><span style="color: #C3E88D;">collections</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">utf8_test</span><span style="color: #89DDFF;">&#39;, &#39;</span><span style="color: #C3E88D;">copy_reg</span><span style="color: #89DDFF;">&#39;)</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 92</span><span> COMPARE_OP</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;"> not-in</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 95_0</span><span> COME_FROM</span><span style="color: #F78C6C;"> 79</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">79</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 95_1</span><span> COME_FROM</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">48</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 95_2</span><span> COME_FROM</span><span style="color: #F78C6C;"> 33</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">33</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 95</span><span> POP_JUMP_IF_FALSE</span><span style="color: #F78C6C;"> 155</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 155</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 98</span><span> SETUP_EXCEPT</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 149</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 101</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">loaded</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 104</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">add</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 107</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">id</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 110</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 113</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 116</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">arg</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 119</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 122</span><span> BINARY_SUBSCR</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 123</span><span> BUILD_TUPLE_2</span><span style="color: #F78C6C;"> 2</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 126</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 129</span><span> POP_TOP</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 130</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">sys</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 133</span><span> DUP_TOP</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 134</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">errCnt</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 137</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 1</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 140</span><span> INPLACE_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 141</span><span> ROT_TWO</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 142</span><span> STORE_ATTR</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">errCnt</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 145</span><span> POP_BLOCK</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 146</span><span> JUMP_FORWARD</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 155</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 149_0</span><span> COME_FROM</span><span style="color: #F78C6C;"> 98</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">98</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 149</span><span> POP_TOP</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 150</span><span> POP_TOP</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 151</span><span> POP_TOP</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 152</span><span> JUMP_FORWARD</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 155</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 155_0</span><span> COME_FROM</span><span style="color: #F78C6C;"> 152</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">152</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 155_1</span><span> COME_FROM</span><span style="color: #F78C6C;"> 146</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">146</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 155</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">res</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 158</span><span> RETURN_VALUE</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> -</span><span style="color: #F78C6C;">1</span><span> RETURN_LAST</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Parse error at</span><span style="color: #89DDFF;"> or</span><span> near `</span><span style="color: #89DDFF;">None&#39;</span><span style="color: #C3E88D;"> instruction at offset -1</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> f123</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">impf</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> f222</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> import</span><span> sys</span></span> <span class="giallo-l"><span> f222</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">func_globals</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">loaded</span><span style="color: #89DDFF;">&#39;] =</span><span style="color: #FFCB6B;"> set</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> not</span><span style="color: #82AAFF;"> isinstance</span><span style="color: #89DDFF;">(</span><span>__builtins__</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> dict</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> f222</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">func_globals</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">common</span><span style="color: #89DDFF;">&#39;] =</span><span> __builtins__</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">__import__</span><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;font-style: italic;"> else</span><span> __builtins__</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">__import__</span><span style="color: #89DDFF;">&#39;]</span></span> <span class="giallo-l"><span> f222</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">func_globals</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">sys</span><span style="color: #89DDFF;">&#39;] =</span><span> sys</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">errCnt</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 0</span></span> <span class="giallo-l"><span> __builtins__</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">__import__</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> isinstance</span><span style="color: #89DDFF;">(</span><span>__builtins__</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> dict</span><span style="color: #89DDFF;">) or</span><span> f222</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> __builtins__</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">__import__</span><span style="color: #89DDFF;">&#39;] =</span><span> f222</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">settrace</span><span style="color: #89DDFF;">(None)</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">settrace</span><span style="color: #89DDFF;"> =</span><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">getrefcount</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">setprofile</span><span style="color: #89DDFF;">(None)</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">setprofile</span><span style="color: #89DDFF;"> =</span><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">getrefcount</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">gettrace</span><span style="color: #89DDFF;"> =</span><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">exit</span></span> <span class="giallo-l"><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">getprofile</span><span style="color: #89DDFF;"> =</span><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">exit</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> f333</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">impf</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> f222</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> impf</span><span style="color: #89DDFF;"> =</span><span> f222</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> f123</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">marshaled</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> swapMap</span><span style="color: #89DDFF;"> = {</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 151</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 235</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 249</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 100</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 10</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 188</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 106</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 128</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 122</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 10</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 220</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 11</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 189</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 242</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 13</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 253</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 14</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 210</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 243</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 16</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 17</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 27</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 18</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 222</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 19</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 90</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 20</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 139</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 21</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 18</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 22</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 79</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 23</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 255</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 24</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 230</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 25</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 83</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 26</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 20</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 27</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 74</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 28</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 89</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 29</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 141</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 30</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 219</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 123</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 32</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 203</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 33</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 51</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 34</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 98</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 35</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 53</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 36</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 103</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 37</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 204</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 38</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 190</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 39</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 118</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 40</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 62</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 41</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 161</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 42</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 41</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 43</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 241</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 44</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 247</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 45</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 101</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 46</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 196</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 47</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 153</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 181</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 49</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 40</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 50</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 152</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 51</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 174</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 52</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 140</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 53</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 171</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 54</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 44</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 55</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 134</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 56</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 158</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 57</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 88</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 58</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 70</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 59</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 132</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 60</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 173</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 61</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 62</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 129</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 63</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 64</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 86</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 65</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 21</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 66</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 148</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 67</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 145</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 68</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 211</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 69</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 127</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 70</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 224</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 71</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 167</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 72</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 185</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 73</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 237</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 74</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 147</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 75</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 233</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 76</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 58</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 77</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 175</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 78</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 14</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 79</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 252</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 80</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 209</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 81</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 155</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 82</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 37</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 83</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 162</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 84</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 42</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 85</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 227</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 86</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 78</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 87</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 136</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 88</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 89</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 246</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 90</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 81</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 91</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 126</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 92</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 186</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 93</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 94</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 87</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 95</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 150</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 96</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 96</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 97</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 39</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 98</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 193</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 99</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 28</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 100</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 55</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 101</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 59</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 102</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 200</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 103</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 30</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 104</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 225</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 105</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 197</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 106</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 212</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 107</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 213</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 108</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 245</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 109</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 179</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 110</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 105</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 111</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 111</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 112</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 112</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 113</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 32</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 114</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 156</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 115</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 91</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 116</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 68</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 117</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 50</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 118</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 13</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 119</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 66</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 120</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 84</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 121</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 159</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 122</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 182</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 123</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 102</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 124</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 221</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 125</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 154</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 126</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 57</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 127</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 254</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 128</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 130</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 129</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 17</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 130</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 82</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 131</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 77</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 132</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 104</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 133</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 95</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 134</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 146</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 135</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 136</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 169</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 137</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 164</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 138</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 121</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 139</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 223</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 140</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 11</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 141</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 232</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 142</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 244</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 143</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 218</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 144</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 85</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 145</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 113</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 146</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 177</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 147</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 166</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 148</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 52</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 149</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 24</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 150</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 170</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 151</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 152</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 73</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 153</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 144</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 154</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 236</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 155</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 34</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 156</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 205</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 157</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 115</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 158</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 114</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 159</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 226</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 160</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 45</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 161</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 234</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 162</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 19</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 163</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 133</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 164</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 168</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 165</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 135</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 166</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 194</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 167</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 99</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 168</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 138</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 169</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 251</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 170</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 46</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 171</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 72</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 172</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 60</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 173</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 94</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 174</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 175</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 75</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 176</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 177</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 178</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 178</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 116</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 179</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 238</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 180</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 181</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 143</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 182</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 92</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 183</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 142</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 184</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 176</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 185</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 25</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 186</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 108</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 187</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 250</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 188</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 16</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 189</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 160</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 190</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 107</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 191</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 240</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 192</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 208</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 193</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 194</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 187</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 195</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 49</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 196</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 197</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 184</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 198</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 199</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 199</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 43</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 200</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 165</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 201</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 38</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 202</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 125</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 203</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 76</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 204</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 110</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 205</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 71</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 206</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 33</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 207</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 217</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 208</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 209</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 229</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 210</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 120</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 211</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 131</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 212</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 195</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 213</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 69</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 214</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 231</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 215</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 97</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 216</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 248</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 217</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 201</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 218</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 206</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 219</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 22</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 220</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 23</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 221</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 35</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 222</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 207</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 223</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 124</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 224</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 137</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 225</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 65</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 226</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 157</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 227</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 93</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 228</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 180</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 229</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 56</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 230</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 117</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 231</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 63</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 232</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 191</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 233</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 109</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 234</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 239</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 235</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 36</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 236</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 202</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 237</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 163</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 238</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 119</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 239</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 214</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 240</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 183</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 241</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 54</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 242</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 172</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 243</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 29</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 244</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 47</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 245</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 228</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 246</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 198</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 247</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 61</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 248</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 26</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 249</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 149</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 250</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 67</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 251</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 216</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 252</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 192</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 253</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 80</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 254</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 64</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 255</span><span style="color: #89DDFF;">:</span><span style="color: #F78C6C;"> 215</span><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"><span> marshaled</span><span style="color: #89DDFF;"> = (&#39;&#39;).</span><span style="color: #82AAFF;">join</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">map</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">chr</span><span style="color: #89DDFF;">, [</span><span style="color: #82AAFF;"> swapMap</span><span style="color: #89DDFF;">[</span><span style="color: #82AAFF;">ord</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">n</span><span style="color: #89DDFF;">)]</span><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #82AAFF;"> n</span><span style="color: #89DDFF;font-style: italic;"> in</span><span style="color: #82AAFF;"> marshaled</span><span style="color: #89DDFF;"> ]))</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> marshaled</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span>co_code</span><span style="color: #89DDFF;"> = [</span><span style="color: #82AAFF;"> chr</span><span style="color: #89DDFF;">(((</span><span style="color: #82AAFF;">byte</span><span style="color: #89DDFF;"> ^</span><span style="color: #F78C6C;"> 38</span><span style="color: #89DDFF;">) &amp;</span><span style="color: #F78C6C;"> 126</span><span style="color: #89DDFF;"> | (</span><span style="color: #82AAFF;">byte</span><span style="color: #89DDFF;"> ^</span><span style="color: #F78C6C;"> 38</span><span style="color: #89DDFF;">) &gt;&gt;</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;"> &amp;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> | ((</span><span style="color: #82AAFF;">byte</span><span style="color: #89DDFF;"> ^</span><span style="color: #F78C6C;"> 38</span><span style="color: #89DDFF;">) &amp;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) &lt;&lt;</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">) ^</span><span style="color: #F78C6C;"> 89</span><span style="color: #89DDFF;">)</span><span style="color: #89DDFF;font-style: italic;"> for</span><span> byte</span><span style="color: #89DDFF;font-style: italic;"> in</span><span style="color: #89DDFF;"> [</span><span style="color: #82AAFF;"> ord</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">byte</span><span style="color: #89DDFF;">)</span><span style="color: #89DDFF;font-style: italic;"> for</span><span> byte</span><span style="color: #89DDFF;font-style: italic;"> in</span><span style="color: #82AAFF;"> f123</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">code</span><span style="color: #89DDFF;">) ] ]</span></span> <span class="giallo-l"><span>locDict</span><span style="color: #89DDFF;"> = {}</span></span> <span class="giallo-l"><span>locDict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">globs</span><span style="color: #89DDFF;">&#39;] =</span><span> sys</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">_getframe</span><span style="color: #89DDFF;">().</span><span style="color: #F07178;">f_back</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">f_globals</span></span> <span class="giallo-l"><span>locDict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">code</span><span style="color: #89DDFF;">&#39;] =</span><span> marshal</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">loads</span><span style="color: #89DDFF;">((&#39;&#39;).</span><span style="color: #82AAFF;">join</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">co_code</span><span style="color: #89DDFF;">[::-</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">]))</span></span> <span class="giallo-l"><span>locDict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">marshal</span><span style="color: #89DDFF;">&#39;] =</span><span> marshal</span></span> <span class="giallo-l"><span style="color: #82AAFF;">exec</span><span> locDict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">code</span><span style="color: #89DDFF;">&#39;] in</span><span> locDict</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> f111</span><span style="color: #89DDFF;">():</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> pass</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;">f111</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">del</span><span> f111</span></span></code></pre> <p>There are some checks to ensure that certain state is set up, but in general this will:</p> <ol> <li>Load the <code>co_code</code> from the original stage 1 file</li> <li>Apply a substitution cipher over each byte</li> <li>Do some bit arithmetic on each byte of the result from step 2</li> <li>Execute the code that was just decoded</li> </ol> <p>In my deobfuscator I was able to leverage the custom Python VM to apply the swapmap for me by creating a state machine. Essentially I scan for certain instructions that look like they're applying the swapmap, then execute that function with some fake VM stack set up. That code can be found here: <a rel="external" href="https://github.com/landaire/wowsdeob/blob/ffeeedaea9390c1d1e9ba785360e75aaa1aa10d0/src/smallvm.rs">https://github.com/landaire/wowsdeob/blob/ffeeedaea9390c1d1e9ba785360e75aaa1aa10d0/src/smallvm.rs</a></p> <h3 id="stage-3"><a class="zola-anchor" href="#stage-3" aria-label="Anchor link for: stage-3" >#</a > Stage 3</h3> <p>This stage is pretty boring all things considered. The Stage 3 code object is just another compressed code object that's been base64 encoded and had the result reversed.</p> <p><img src="/img/wows-obfuscation/stage3_base64.png" alt="Sample showing the base64-encoded data" /></p> <p>No big tricks here. The deobfuscator logic can be found here: <a rel="external" href="https://github.com/landaire/wowsdeob/blob/ffeeedaea9390c1d1e9ba785360e75aaa1aa10d0/src/main.rs#L290-L297">https://github.com/landaire/wowsdeob/blob/ffeeedaea9390c1d1e9ba785360e75aaa1aa10d0/src/main.rs#L290-L297</a>.</p> <p>Worth noting that this is the stage which references the Lestas "Anti noobs protection"!</p> <p><img src="/img/wows-obfuscation/stage3_anti_noobs_protection.png" alt="Anti noobs protection" /></p> <h3 id="stage-4"><a class="zola-anchor" href="#stage-4" aria-label="Anchor link for: stage-4" >#</a > Stage 4</h3> <p>We have the final module! This module now needs to have all generic deobfuscation tricks applied to get decompilation.</p> <h2 id="end-result"><a class="zola-anchor" href="#end-result" aria-label="Anchor link for: end-result" >#</a > End Result</h2> <p>The end result of this effort is going from a file that fails to decompile:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="shellscript"><span class="giallo-l"><span style="color: #FFCB6B;">❯</span><span style="color: #C3E88D;"> uncompyle6 ./output/AirplaneUtils_stage4.pyc</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># uncompyle6 version 3.8.0</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Python bytecode 2.7 (62211)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Decompiled from: Python 2.7.18 (default, Sep 28 2022, 20:52:16)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># [GCC Apple LLVM 14.0.0 (clang-1400.0.29.102)]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Warning: this version of Python has problems handling the Python 3 byte type in constants properly.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Embedded file name: 26977129990194521</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Compiled at: 2020-12-14 08:10:48</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">Traceback</span><span> (most</span><span style="color: #C3E88D;"> recent call last</span><span>):</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/bin/uncompyle6</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 10, in</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">modul</span><span>e</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> sys.exit(main_bin(</span><span>))</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/lib/python2.7/site-packages/uncompyle6/bin/uncompile.py</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 194, in main_bin</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> **options</span><span>)</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/lib/python2.7/site-packages/uncompyle6/main.py</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 328, in main</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> do_fragments,</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/lib/python2.7/site-packages/uncompyle6/main.py</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 230, in decompile_file</span></span> <span class="giallo-l"><span> do_fragments</span><span style="color: #89DDFF;">=</span><span style="color: #C3E88D;">do_fragments,</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/lib/python2.7/site-packages/uncompyle6/main.py</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 149, in decompile</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> co,</span><span style="color: #C3E88D;"> out, bytecode_version, debug_opts=debug_opts, is_pypy=is_pypy</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/lib/python2.7/site-packages/uncompyle6/semantics/pysource.py</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 2578, in code_deparse</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> co,</span><span style="color: #C3E88D;"> code_objects=code_objects, show_asm=debug_opts[</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">asm</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">]</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> File</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">/Users/lander/.pyenv/versions/2.7.18/lib/python2.7/site-packages/uncompyle6/scanners/scanner2.py</span><span style="color: #89DDFF;">&quot;</span><span style="color: #C3E88D;">, line 350, in ingest</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> pattr</span><span style="color: #C3E88D;"> = names[oparg]</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">IndexError:</span><span style="color: #C3E88D;"> tuple index out of range</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">zsh:</span><span style="color: #C3E88D;"> exit</span><span style="color: #F78C6C;"> 1</span><span style="color: #C3E88D;"> uncompyle6 ./output/AirplaneUtils_stage4.pyc</span></span></code></pre> <p>To:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="python"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># uncompyle6 version 3.8.0</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Python bytecode 2.7 (62211)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Decompiled from: Python 2.7.18 (default, Sep 28 2022, 20:52:16)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># [GCC Apple LLVM 14.0.0 (clang-1400.0.29.102)]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Warning: this version of Python has problems handling the Python 3 byte type in constants properly.</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Embedded file name: 123823449462</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># Compiled at: 2020-12-14 08:10:48</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span> math</span><span style="color: #89DDFF;">,</span><span> random</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> ConstantsUtils</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> idGenerator</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">import</span><span> GameParams</span><span style="color: #89DDFF;">,</span><span> Junk</span><span style="color: #89DDFF;">,</span><span> Lesta</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> Math</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> Vector3</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> AirPlanes</span><span style="color: #89DDFF;">.</span><span>AirplaneConstants</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> DeathReason</span><span style="color: #89DDFF;">,</span><span> SquadronStateEnum</span><span style="color: #89DDFF;">,</span><span> Throttle</span><span style="color: #89DDFF;">,</span><span> TurnDirection</span><span style="color: #89DDFF;">,</span><span> PlaneTypeNames</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> AirplaneConstants</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> SQUADRON_DEPARTURE_BIT</span><span style="color: #89DDFF;">,</span><span> SQUADRON_PURPOSE_BIT</span><span style="color: #89DDFF;">,</span><span> SQUADRON_INDEX_BIT</span><span style="color: #89DDFF;">,</span><span> PLANETYPE_2_PARAMSNAME</span><span style="color: #89DDFF;">,</span><span> PLANE_TORPEDO_CONE_HALF_WIDTH</span><span style="color: #89DDFF;">,</span><span> PlaneTypes</span><span style="color: #89DDFF;">,</span><span> PLANE_PROJECTILE_GRAVITY</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> mc0f1198d</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> devMode</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> md0ce06f9</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> LOG_ERROR</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> m79622f13</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> normaliseAngle</span><span style="color: #89DDFF;">,</span><span> getDirectionFromYaw</span><span style="color: #89DDFF;">,</span><span> lerp</span><span style="color: #89DDFF;">,</span><span> lerpAngles</span><span style="color: #89DDFF;">,</span><span> getDirectionFromYawPitch</span><span style="color: #89DDFF;">,</span><span> EPSILON</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> PlanesDEFConverter</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> PlanesDictConverter</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> PyMagic</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> pTuple</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> mc062022a</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> ShipTypes</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">from</span><span> shared_constants</span><span style="color: #89DDFF;">.</span><span>m22c5a818</span><span style="color: #89DDFF;font-style: italic;"> import</span><span> PLANE_AMMO_TYPES</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">class</span><span style="color: #FFCB6B;"> WayPoint</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> enum</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> idGenerator</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> GENERATED</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> next</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">enum</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> RESET</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> next</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">enum</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> LAUNCHING_START_NODE</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> next</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">enum</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> LAUNCHING_END_NODE</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> next</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">enum</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> LANDING_START_NODE</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> next</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">enum</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> LANDING_END_NODE</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> next</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">enum</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> del</span><span> enum</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> __init__</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;font-style: italic;">self</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> pos</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> yaw</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> pitch</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> time</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> waypointType</span><span style="color: #89DDFF;">=</span><span>GENERATED</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;"> =</span><span> pos</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;"> =</span><span> yaw</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pitch</span><span style="color: #89DDFF;"> =</span><span> pitch</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">time</span><span style="color: #89DDFF;"> =</span><span> time</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">sent</span><span style="color: #89DDFF;"> = False</span></span> <span class="giallo-l"><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">type</span><span style="color: #89DDFF;"> =</span><span> waypointType</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> __repr__</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;font-style: italic;">self</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> (&#39;</span><span style="color: #C3E88D;">&lt;&lt; Waypoint pos:</span><span style="color: #F78C6C;">{0}</span><span style="color: #C3E88D;">, time:</span><span style="color: #F78C6C;">{1}</span><span style="color: #C3E88D;">, type:</span><span style="color: #F78C6C;">{2}</span><span style="color: #C3E88D;">, yaw:</span><span style="color: #F78C6C;">{3}</span><span style="color: #C3E88D;">, pitch: </span><span style="color: #F78C6C;">{4}</span><span style="color: #C3E88D;">&gt;&gt;</span><span style="color: #89DDFF;">&#39;).</span><span style="color: #82AAFF;">format</span><span style="color: #89DDFF;">(</span><span>self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">,</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">time</span><span style="color: #89DDFF;">,</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">type</span><span style="color: #89DDFF;">,</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pitch</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> toDict</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;font-style: italic;">self</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> {&#39;</span><span style="color: #C3E88D;">position</span><span style="color: #89DDFF;">&#39;:</span><span style="color: #82AAFF;"> Vector3</span><span style="color: #89DDFF;">(</span><span>self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">), &#39;</span><span style="color: #C3E88D;">yaw</span><span style="color: #89DDFF;">&#39;:</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">, &#39;</span><span style="color: #C3E88D;">pitch</span><span style="color: #89DDFF;">&#39;:</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">normaliseAngle</span><span style="color: #89DDFF;">(</span><span>self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pitch</span><span style="color: #89DDFF;">, False) *</span><span style="color: #F78C6C;"> 127</span><span style="color: #89DDFF;"> /</span><span style="color: #82AAFF;"> math</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pi</span><span style="color: #89DDFF;">), &#39;</span><span style="color: #C3E88D;">time</span><span style="color: #89DDFF;">&#39;:</span><span style="color: #FFCB6B;"> int</span><span style="color: #89DDFF;">(</span><span>self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">time</span><span style="color: #89DDFF;"> *</span><span style="color: #F78C6C;"> 1000</span><span style="color: #89DDFF;">), &#39;</span><span style="color: #C3E88D;">type</span><span style="color: #89DDFF;">&#39;:</span><span> self</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">type</span><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> @</span><span style="color: #FFCB6B;">staticmethod</span></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> fromDict</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">dict</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #82AAFF;"> WayPoint</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">Vector3</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">dict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">position</span><span style="color: #89DDFF;">&#39;]),</span><span style="color: #82AAFF;"> dict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">yaw</span><span style="color: #89DDFF;">&#39;],</span><span style="color: #82AAFF;"> dict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">pitch</span><span style="color: #89DDFF;">&#39;] *</span><span style="color: #82AAFF;"> math</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pi</span><span style="color: #89DDFF;"> /</span><span style="color: #F78C6C;"> 127.0</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> dict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">time</span><span style="color: #89DDFF;">&#39;] /</span><span style="color: #F78C6C;"> 1000.0</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> dict</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">type</span><span style="color: #89DDFF;">&#39;])</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> @</span><span style="color: #FFCB6B;">staticmethod</span></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> _splineReference</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">point1</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> point2</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> t</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> unknown_0</span><span style="color: #89DDFF;"> =</span><span> point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">flatDistTo</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> unknown_0</span><span style="color: #89DDFF;"> &gt;</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> unknown_1</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 1.0</span><span style="color: #89DDFF;"> -</span><span> t</span></span> <span class="giallo-l"><span> unknown_2</span><span style="color: #89DDFF;"> =</span><span> unknown_0</span><span style="color: #89DDFF;"> *</span><span style="color: #82AAFF;"> getDirectionFromYaw</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> =</span><span> unknown_0</span><span style="color: #89DDFF;"> *</span><span style="color: #82AAFF;"> getDirectionFromYaw</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> unknown_3</span><span style="color: #89DDFF;"> =</span><span> unknown_1</span><span style="color: #89DDFF;"> *</span><span> unknown_1</span><span style="color: #89DDFF;"> * (</span><span style="color: #F78C6C;">1.0</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2.0</span><span style="color: #89DDFF;"> *</span><span> t</span><span style="color: #89DDFF;">) *</span><span> point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;"> +</span><span> t</span><span style="color: #89DDFF;"> *</span><span> t</span><span style="color: #89DDFF;"> * (</span><span style="color: #F78C6C;">1.0</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2.0</span><span style="color: #89DDFF;"> *</span><span> unknown_1</span><span style="color: #89DDFF;">) *</span><span> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;"> +</span><span> unknown_1</span><span style="color: #89DDFF;"> *</span><span> unknown_1</span><span style="color: #89DDFF;"> *</span><span> t</span><span style="color: #89DDFF;"> *</span><span> unknown_2</span><span style="color: #89DDFF;"> -</span><span> unknown_1</span><span style="color: #89DDFF;"> *</span><span> t</span><span style="color: #89DDFF;"> *</span><span> t</span><span style="color: #89DDFF;"> *</span><span style="color: #F78C6C;"> 1</span></span> <span class="giallo-l"><span> unknown_4</span><span style="color: #89DDFF;"> =</span><span> point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">flatDistTo</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknown_3</span><span style="color: #89DDFF;">) /</span><span> unknown_0</span></span> <span class="giallo-l"><span> unknown_3</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">y</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> lerp</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">y</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">y</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> unknown_4</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> unknown_5</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> lerpAngles</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> t</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> unknown_6</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 0.0</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span> unknown_3</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> lerp</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> t</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> unknown_5</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> lerpAngles</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> t</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span> unknown_6</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 0.0</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> (</span><span>unknown_3</span><span style="color: #89DDFF;">,</span><span> unknown_5</span><span style="color: #89DDFF;">,</span><span> unknown_6</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> def</span><span style="color: #82AAFF;"> spline</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">point1</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> point2</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> t</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> Lesta</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">splineWayPoints</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point1</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pitch</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pos</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">yaw</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> point2</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">pitch</span><span style="color: #89DDFF;">,</span><span style="color: #82AAFF;"> t</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> spline</span><span style="color: #89DDFF;"> =</span><span> _splineOptimised</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> generateSquadronId</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">shipId</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> index</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> purpose</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> departureId</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> &quot;&quot;&quot;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> Generates id of the squadron based on the given arguments.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :param shipId: id of the owner</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :type shipId: int</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :param index: index of the squadron within the owner</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :type index: int</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :param purpose: the function that squadron is performing</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :type purpose: int (AirplaneConstants.SquadronPurpose)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :param departureId: unique departure id of the squadron incremented with every subsequent id generation</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :type departureId: int</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :return id of the squadron</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> :rtype: int</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> &quot;&quot;&quot;</span></span> <span class="giallo-l"><span> unknown_7</span><span style="color: #89DDFF;"> =</span><span> departureId</span><span style="color: #89DDFF;"> &lt;&lt;</span><span> SQUADRON_DEPARTURE_BIT</span><span style="color: #89DDFF;"> |</span><span> purpose</span><span style="color: #89DDFF;"> &lt;&lt;</span><span> SQUADRON_PURPOSE_BIT</span><span style="color: #89DDFF;"> |</span><span> index</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &lt;&lt;</span><span> SQUADRON_INDEX_BIT</span><span style="color: #89DDFF;"> |</span><span> shipId</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> assert</span><span style="color: #82AAFF;"> retrieveOwnerID</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknown_7</span><span style="color: #89DDFF;">) ==</span><span> shipId</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> assert</span><span style="color: #82AAFF;"> retrieveSquadronIndex</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknown_7</span><span style="color: #89DDFF;">) ==</span><span> index</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> assert</span><span style="color: #82AAFF;"> retrieveSquadronPurpose</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknown_7</span><span style="color: #89DDFF;">) ==</span><span> purpose</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> unknown_7</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> retrieveSquadronIndex</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">squadronId</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> unknown_8</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 7</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> (</span><span>squadronId</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> SQUADRON_INDEX_BIT</span><span style="color: #89DDFF;"> &amp;</span><span> unknown_8</span><span style="color: #89DDFF;">) -</span><span style="color: #F78C6C;"> 1</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> retrieveSquadronPurpose</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">squadronId</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> unknown_9</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 7</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> squadronId</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> SQUADRON_PURPOSE_BIT</span><span style="color: #89DDFF;"> &amp;</span><span> unknown_9</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> retrieveSquadronDeparture</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">squadronId</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> unknown_10</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 7</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> squadronId</span><span style="color: #89DDFF;"> &gt;&gt;</span><span> SQUADRON_DEPARTURE_BIT</span><span style="color: #89DDFF;"> &amp;</span><span> unknown_10</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> parseSquadronId</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">squadronId</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> (</span><span style="color: #82AAFF;">retrieveSquadronIndex</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">squadronId</span><span style="color: #89DDFF;">),</span><span style="color: #82AAFF;"> retrieveSquadronPurpose</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">squadronId</span><span style="color: #89DDFF;">),</span><span style="color: #82AAFF;"> retrieveSquadronDeparture</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">squadronId</span><span style="color: #89DDFF;">))</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> retrieveOwnerID</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">id</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #82AAFF;"> id</span><span style="color: #89DDFF;"> &amp;</span><span style="color: #F78C6C;"> 4294967295</span><span style="color: #C792EA;">L</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> getPlaneName</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">params</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> planeType</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> unknown_11</span><span style="color: #89DDFF;"> =</span><span> PLANETYPE_2_PARAMSNAME</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">get</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">planeType</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span> planeType</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> params</span><span style="color: #89DDFF;">.</span><span>__dict__</span><span style="color: #89DDFF;">[</span><span>unknown_11</span><span style="color: #89DDFF;">].</span><span style="color: #F07178;">planeType</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span> planeType</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span> getTorpedoingArea--</span><span style="color: #89DDFF;">-</span><span> This code section failed</span><span style="color: #89DDFF;">:</span><span> --</span><span style="color: #89DDFF;">-</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 0</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">getDirectionFromYaw</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 3</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">attackDir</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 6</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">yaw</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 9</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">math</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 12</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">pi</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 15</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 2</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 18</span><span> BINARY_DIVIDE</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 19</span><span> BINARY_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 20</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 23</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_14</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 26</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">min</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 29</span><span> LOAD_CODE</span><span style="color: #89DDFF;"> &lt;</span><span>code_object</span><span style="color: #F78C6C;"> 369464740902</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 32</span><span> MAKE_FUNCTION_0</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 35</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">formation</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 38</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">positions</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 41</span><span> GET_ITER</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 42</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 45</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 48</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_15</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 51</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">max</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 54</span><span> LOAD_CODE</span><span style="color: #89DDFF;"> &lt;</span><span>code_object</span><span style="color: #F78C6C;"> 369537115186</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 57</span><span> MAKE_FUNCTION_0</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 60</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">formation</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 63</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">positions</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 66</span><span> GET_ITER</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 67</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 70</span><span> CALL_FUNCTION_1</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> None</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 73</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_16</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 76</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_16</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 79</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_15</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 82</span><span> BINARY_SUBTRACT</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 83</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_17</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 86</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_17</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 89</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">currentPlaneCount</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 92</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 93</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">formation</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 96</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">npositions</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 99</span><span> BINARY_DIVIDE</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 100</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 10</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_18</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 103</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">attackPoint</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 106</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 10</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_18</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 109</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 2</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 112</span><span> BINARY_DIVIDE</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 113</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">PLANE_TORPEDO_CONE_HALF_WIDTH</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 116</span><span> BINARY_SUBTRACT</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 117</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_14</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 120</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 121</span><span> BINARY_SUBTRACT</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 122</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 11</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_19</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 125</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">attackPoint</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 128</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 10</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_18</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 131</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 2</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 134</span><span> BINARY_DIVIDE</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 135</span><span> LOAD_GLOBAL</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">PLANE_TORPEDO_CONE_HALF_WIDTH</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 138</span><span> BINARY_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 139</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_14</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 142</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 143</span><span> BINARY_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 144</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_20</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 147</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 11</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_19</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 150</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_20</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 153</span><span> COMPARE_OP</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> ==</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 156</span><span> POP_JUMP_IF_FALSE</span><span style="color: #F78C6C;"> 176</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 176</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 159</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_20</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 162</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_14</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 165</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0.001</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 168</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 169</span><span> INPLACE_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 170</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_20</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 173</span><span> JUMP_FORWARD</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">to 176</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 176_0</span><span> COME_FROM</span><span style="color: #F78C6C;"> 173</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">173</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 176</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">attackPoint</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 179</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">attackDir</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 182</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">planeParams</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 185</span><span> LOAD_ATTR</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">torpedoAimDist</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 188</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 189</span><span> BINARY_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 190</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 13</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_21</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 193</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 13</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_21</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 196</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_14</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 199</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">spreading</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 202</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 203</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0.5</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 206</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 207</span><span> BINARY_SUBTRACT</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 208</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 14</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_22</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 211</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 13</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_21</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 214</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_14</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 217</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">spreading</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 220</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 221</span><span> LOAD_CONST</span><span style="color: #F78C6C;"> 0.5</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 224</span><span> BINARY_MULTIPLY</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 225</span><span> BINARY_ADD</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 226</span><span> STORE_FAST</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_23</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 229</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 11</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_19</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 232</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 12</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_20</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 235</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 14</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_22</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 238</span><span> LOAD_FAST</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;"> &#39;</span><span style="color: #C3E88D;">unknown_23</span><span style="color: #89DDFF;">&#39;</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 241</span><span> BUILD_TUPLE_4</span><span style="color: #F78C6C;"> 4</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 244</span><span> RETURN_VALUE</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> -</span><span style="color: #F78C6C;">1</span><span> RETURN_LAST</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>Parse error at</span><span style="color: #89DDFF;"> or</span><span> near `</span><span style="color: #89DDFF;">None&#39;</span><span style="color: #C3E88D;"> instruction at offset -1</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">def</span><span style="color: #82AAFF;"> getBombingZone</span><span style="color: #89DDFF;">(</span><span style="font-style: italic;">planeParams</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> modifierParams</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> aimAccuracy</span><span style="color: #89DDFF;">,</span><span style="font-style: italic;"> attackerStrength</span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;">1.0</span><span style="color: #89DDFF;">):</span></span> <span class="giallo-l"><span> unknown_24</span><span style="color: #89DDFF;"> =</span><span> planeParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">maxSpread</span></span> <span class="giallo-l"><span> unknown_25</span><span style="color: #89DDFF;"> =</span><span> planeParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">minSpread</span></span> <span class="giallo-l"><span> unknown_26</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> lerp</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknown_24</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">],</span><span style="color: #82AAFF;"> unknown_25</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">],</span><span style="color: #82AAFF;"> aimAccuracy</span><span style="color: #89DDFF;">) *</span><span> modifierParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">planeSpreadMultiplier</span></span> <span class="giallo-l"><span> unknown_27</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> lerp</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">unknown_24</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">],</span><span style="color: #82AAFF;"> unknown_25</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">],</span><span style="color: #82AAFF;"> aimAccuracy</span><span style="color: #89DDFF;">) *</span><span> modifierParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">planeSpreadMultiplier</span></span> <span class="giallo-l"><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> =</span><span> planeParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">outerSalvoSize</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] *</span><span> unknown_26</span><span style="color: #89DDFF;"> *</span><span> attackerStrength</span></span> <span class="giallo-l"><span> unknown_28</span><span style="color: #89DDFF;"> =</span><span> planeParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">outerSalvoSize</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] *</span><span> unknown_27</span></span> <span class="giallo-l"><span> unknown_29</span><span style="color: #89DDFF;"> =</span><span> planeParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">innerSalvoSize</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] *</span><span> unknown_26</span><span style="color: #89DDFF;"> *</span><span> attackerStrength</span></span> <span class="giallo-l"><span> unknown_30</span><span style="color: #89DDFF;"> =</span><span> planeParams</span><span style="color: #89DDFF;">.</span><span style="color: #F07178;">innerSalvoSize</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] *</span><span> unknown_27</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> (</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">,</span><span> unknown_28</span><span style="color: #89DDFF;">,</span><span> unknown_29</span><span style="color: #89DDFF;">,</span><span> unknown_30</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"># snip</span></span></code></pre> <p>Clearly some functions still fail to decompile, but it may be enough to just read the instructions at this point to understand the intent.</p> <p>And code objects that go from this:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;simple_obfuscation_example.svg" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;simple_obfuscation_example.svg" width="500" height="500" alt="" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>To this:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;simple_deobfuscation_example.svg" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;wows-obfuscation&#x2F;simple_deobfuscation_example.svg" width="500" height="500" alt="" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <h2 id="closing-thoughts"><a class="zola-anchor" href="#closing-thoughts" aria-label="Anchor link for: closing-thoughts" >#</a > Closing Thoughts</h2> <p>There's one common theme in this post that I hope some readers picked up on: we are constantly battling the <em>decompiler's</em> ability to unravel code based off of heuristics instead of battling the obfuscator injecting garbage. The const predicates for example aren't even that big of a deal -- they just insert false control flow that at a <em>source</em> level is fairly straightforward to see is garbage.</p> <p>However, this false control flow is enough to throw off the decompiler's ability to figure out a <em>single</em> source code pattern that results in the entire code object failing to decompile. This isn't a jab at <code>uncompyle</code> either -- it's a great tool that works fairly well considering there's zero competition in this space. However, I think that if I were to solve this problem from scratch in 2023 I'd solve it very differently by working on a better decompiler that erodes away mapping of 1:1 source code to bytecode, and instead focuses on rebuilding source with the same functional semantics.</p> <p>As reverse engineers we don't really care about how the code was originally written, we just want to understand its intent at a higher level.</p> <h2 id="thanks"><a class="zola-anchor" href="#thanks" aria-label="Anchor link for: thanks" >#</a > Thanks</h2> <p>Thank you, reader, for making it this far. I'd like to extend thanks to the following people for their support in this research/providing deobfuscator feedback:</p> <ul> <li>lpcvoid (without his initial blog post I wouldn't have been nearly as motivated to go down this endeavour)</li> <li>Track</li> <li>TTaro</li> <li>901234</li> <li>notyourfather</li> <li>gabe_k</li> <li>Scout1Treia</li> <li>EdibleBug</li> </ul> 2023-02-10T00:00:00+00:00 2023-02-10T00:00:00+00:00 Unknown https://landaire.net/one-weird-asan-trick/ <h2 id="asan-primer"><a class="zola-anchor" href="#asan-primer" aria-label="Anchor link for: asan-primer" >#</a > ASAN Primer</h2> <p><em>If you're already an ASAN expert, feel free to skip to the next section.</em></p> <p><a rel="external" href="https://clang.llvm.org/docs/AddressSanitizer.html">AddressSanitizer</a> (ASAN) is an extremely useful tool in software testing, debugging, and security testing for finding memory safety issues in native applications. It's extremely straightforward to use on most platforms -- all you need to do is pass <code>-fsanitize=address</code> to clang/gcc and run the application.</p> <p>As your application runs it builds metadata about its memory state into what's called a <em>shadow memory</em>. The shadow memory is essentiallly a compressed representation of the application's address space and is used to look up memory ranges that are considered addressable. Memory ranges that are not addressable will be referred to as "poisoned memory".</p> <p>When ASAN detects a memory safety issue it will print a report to the console and stop the application. The first bit of the report is as follows:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>=================================================================</span></span> <span class="giallo-l"><span>==1==ERROR: AddressSanitizer: container-overflow on address 0x602000000010 at pc 0x560696424930 bp 0x7ffce1e0f150 sp 0x7ffce1e0f148</span></span> <span class="giallo-l"><span>WRITE of size 4 at 0x602000000010 thread T0</span></span> <span class="giallo-l"><span> #0 0x56069642492f in main /app/example.cpp:14:15</span></span> <span class="giallo-l"><span> #1 0x7fecaaf9a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)</span></span> <span class="giallo-l"><span> #2 0x56069636335d in _start (/app/output.s+0x2135d)</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>0x602000000010 is located 0 bytes inside of 12-byte region [0x602000000010,0x60200000001c)</span></span> <span class="giallo-l"><span>allocated by thread T0 here:</span></span> <span class="giallo-l"><span> #0 0x56069642211d in operator new(unsigned long) /root/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:95:3</span></span> <span class="giallo-l"><span> #1 0x560696427824 in void* std::__1::__libcpp_operator_new[abi:v15000]&lt;unsigned long&gt;(unsigned long) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/new:246:10</span></span> <span class="giallo-l"><span> #2 0x560696427808 in std::__1::__libcpp_allocate[abi:v15000](unsigned long, unsigned long) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/new:272:10</span></span> <span class="giallo-l"><span> #3 0x5606964277a9 in std::__1::allocator&lt;Foo&gt;::allocate[abi:v15000](unsigned long) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/__memory/allocator.h:112:38</span></span> <span class="giallo-l"><span> #4 0x5606964275e0 in std::__1::__allocation_result&lt;std::__1::allocator_traits&lt;std::__1::allocator&lt;Foo&gt;&gt;::pointer&gt; std::__1::__allocate_at_least[abi:v15000]&lt;std::__1::allocator&lt;Foo&gt;&gt;(std::__1::allocator&lt;Foo&gt;&amp;, unsigned long) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/__memory/allocate_at_least.h:54:19</span></span> <span class="giallo-l"><span> #5 0x560696426479 in std::__1::__split_buffer&lt;Foo, std::__1::allocator&lt;Foo&gt;&amp;&gt;::__split_buffer(unsigned long, unsigned long, std::__1::allocator&lt;Foo&gt;&amp;) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/__split_buffer:316:29</span></span> <span class="giallo-l"><span> #6 0x560696425927 in void std::__1::vector&lt;Foo, std::__1::allocator&lt;Foo&gt;&gt;::__push_back_slow_path&lt;Foo&gt;(Foo&amp;&amp;) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/vector:1535:49</span></span> <span class="giallo-l"><span> #7 0x560696424d3b in std::__1::vector&lt;Foo, std::__1::allocator&lt;Foo&gt;&gt;::push_back[abi:v15000](Foo&amp;&amp;) /opt/compiler-explorer/clang-15.0.0/bin/../include/c++/v1/vector:1567:9</span></span> <span class="giallo-l"><span> #8 0x5606964248d1 in main /app/example.cpp:11:10</span></span> <span class="giallo-l"><span> #9 0x7fecaaf9a082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)</span></span></code></pre> <p>It tells us there's a <em>container-overflow</em>, what address the container overflow occurred at, the call stack of where the overflow occurred, and finally where the memory we're faulting on was originally allocated.</p> <p>The next bit of the report is the shadow memory that was mentioned above:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;asan&#x2F;asan_error_with_arrow.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;asan_error_with_arrow.0fcd0a245b2df335.png" alt="" width="500" height="512" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>The big arrow here is pointing into the shadow memory at <code>[06]</code>, which according to the legend at the bottom of the screenshot tells us there are six addressable bytes followed by a <em>global redzone</em> (represented by the red 0xf9 in the shadow bytes).</p> <h3 id="runtime-instrumentation"><a class="zola-anchor" href="#runtime-instrumentation" aria-label="Anchor link for: runtime-instrumentation" >#</a > Runtime Instrumentation</h3> <p>ASAN builds its shadow memory at runtime with the help of its runtime library, <code>libclang_rt.asan_{target_platform}_dynamic.dylib</code>. The runtime library provides some of the following:</p> <ul> <li>Memory management hooks for <code>malloc()</code>, <code>free()</code>, <code>operator new()</code>, etc. Whenever a memory allocation/free occurs ASAN will update its shadow memory</li> <li>Functions for checking if memory is addressable or poisoned.</li> <li>Hooks for some common memory manipulation functions (<code>strncpy</code>, <code>strcpy</code>, <code>memcpy</code>, <code>memcmp</code>, etc.).</li> </ul> <p>For checking if memory is addressable, ASAN's runtime provides some simple APIs that are used by its compiler instrumentation such as:</p> <ul> <li><code>__asan_load1</code></li> <li><code>__asan_store1</code></li> <li><code>__asan_load2</code></li> <li><code>__asan_store2</code></li> <li><code>__asan_load8</code></li> <li><code>__asan_store8</code></li> <li>...</li> <li><code>__asan_loadN</code></li> </ul> <p><em>Note: This is certainly not a definitive list of APIs, but are relatively common</em>.</p> <p>These all essentially do the same thing under the hood:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #C792EA;">extern</span><span style="color: #89DDFF;"> &quot;</span><span style="color: #C3E88D;">C</span><span style="color: #89DDFF;">&quot;</span><span> NOINLINE INTERFACE_ATTRIBUTE </span><span style="color: #C792EA;">void</span><span style="color: #82AAFF;"> __asan_exp_loadN</span><span style="color: #89DDFF;">(</span><span>uptr </span><span style="font-style: italic;">addr</span><span style="color: #89DDFF;">,</span><span> uptr </span><span style="font-style: italic;">size</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span>u32 </span><span style="font-style: italic;">exp</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #82AAFF;">__asan_region_is_poisoned</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">addr</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> size</span><span style="color: #89DDFF;">)) {</span></span> <span class="giallo-l"><span style="color: #F07178;"> GET_CALLER_PC_BP_SP</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> ReportGenericError</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">pc</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> bp</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> sp</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> addr</span><span style="color: #89DDFF;">, false,</span><span style="color: #F07178;"> size</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> exp</span><span style="color: #89DDFF;">, true, false);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>They take an address and size, check if memory in that range is poisoned, and reports a generic error if it is.</p> <h3 id="compiler-instrumentation"><a class="zola-anchor" href="#compiler-instrumentation" aria-label="Anchor link for: compiler-instrumentation" >#</a > Compiler Instrumentation</h3> <p>The compiler instrumentation is primarily used for poisoning stack memory and inserting calls into the runtime library for "interesting" loads/stores. Of course, not <em>every</em> load/store will be instrumented by ASAN as that'd be a bit too heavy weight and a lot of things can be determined to be "safe" statically in the compiler.</p> <p>I'm not a compiler expert and truthfully don't care to dive into the source code at this time to figure out how ASAN determines what an "interesting" load/store is. With that said, when one is encountered ASAN's compiler pass will insert calls to the <code>__asan_{load,store}{size}</code> runtime functions to check the operation.</p> <h2 id="you-re-probably-missing-out-of-bounds-accesses"><a class="zola-anchor" href="#you-re-probably-missing-out-of-bounds-accesses" aria-label="Anchor link for: you-re-probably-missing-out-of-bounds-accesses" >#</a > You're Probably Missing Out-of-Bounds Accesses</h2> <p>With the crash course on ASAN out of the way, we can dive in to the main point of this blog post: you're probably missing OOBR/W in your applications if you're using C++/Rust/whatever language containers.</p> <h3 id="the-problem-with-vectors"><a class="zola-anchor" href="#the-problem-with-vectors" aria-label="Anchor link for: the-problem-with-vectors" >#</a > The Problem With Vectors</h3> <p>Here is some example code that should raise an out-of-bounds access violation:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">vector</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">stdio.h</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">string.h</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">int</span><span style="color: #82AAFF;"> main</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Allocate a vector to store some data generated by our fuzzer</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> std</span><span style="color: #89DDFF;">::</span><span>vector</span><span style="color: #89DDFF;">&lt;</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;">&gt;</span><span> fuzzed</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Fuzzer pushes 5 bytes to the vector</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">push_back</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x41</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">push_back</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x42</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">push_back</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x43</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">push_back</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x44</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">push_back</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0x45</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Copy 8 bytes from the vector to a test buffer</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span> test</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;">] = {</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">};</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memcpy</span><span style="color: #89DDFF;">(&amp;</span><span>test</span><span style="color: #89DDFF;">,</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">data</span><span style="color: #89DDFF;">(), sizeof(</span><span>test</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">size_t</span><span> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span> i </span><span style="color: #89DDFF;">&lt; sizeof(</span><span>test</span><span style="color: #89DDFF;">);</span><span> i</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> printf</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #F07178;">%02X</span><span style="color: #89DDFF;">&quot;,</span><span> test</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">]);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> printf</span><span style="color: #89DDFF;">(&quot;</span><span>\n</span><span style="color: #C3E88D;">size(</span><span style="color: #F07178;">%zu</span><span style="color: #C3E88D;">), capacity(</span><span style="color: #F07178;">%zu</span><span style="color: #C3E88D;">)</span><span>\n</span><span style="color: #89DDFF;">&quot;,</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">size</span><span style="color: #89DDFF;">(),</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">capacity</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>We have a vector with 5 bytes that we then try to copy 8 bytes from. Pretty standard out-of-bounds read. When we run this with ASAN however...</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>Program returned: 0</span></span> <span class="giallo-l"><span>Program stdout</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>4142434445FFFFFFBEFFFFFFBEFFFFFFBE</span></span> <span class="giallo-l"><span>size(5), capacity(8)</span></span></code></pre> <p><em><a rel="external" href="https://godbolt.org/z/cecf6Pjz8">https://godbolt.org/z/cecf6Pjz8</a></em></p> <p>No crash! You might notice something interesting in the last line of the output though: the size of the vector is 5, but its capacity is <em>8</em>.</p> <p>Some readers probably know that when you <code>push_back()</code> or insert data into a <code>vector</code> that's at its capacity, it reallocates the buffer to be <em>double</em> its current size, copies the data to the new buffer, and frees the old one (or just does a <code>realloc()</code>). As a vector starts to grow from 0 elements up to N, its growth looks like the following:</p> <p><img src="/img/asan/vector_growth.png" alt="Vector growth strategy" /></p> <p><em><a rel="external" href="https://i.stack.imgur.com/w5VP7.png">Source</a></em></p> <p>This is very problematic for us. We're not catching an out-of-bounds access because of some implementation detail. All ASAN knows is that the application requested a buffer with 8 bytes -- it doesn't know that in our case 3 of those bytes are unused memory that aren't safe for us to use yet.</p> <p>In the general case, any memory accesses in the range from <code>[vector.data() + vector.size(), vector.data() + vector.capacity()]</code> won't be detected as an out-of-bounds access!</p> <h3 id="the-problem-with-strings"><a class="zola-anchor" href="#the-problem-with-strings" aria-label="Anchor link for: the-problem-with-strings" >#</a > The Problem With Strings</h3> <p>Here's an example that's basically the same as the vector example above -- except, we're now constructing an <code>std::string</code> with a static C string.</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">stdio.h</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">string</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">string.h</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">int</span><span style="color: #82AAFF;"> main</span><span style="color: #89DDFF;">() {</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> std</span><span style="color: #89DDFF;">::</span><span>string</span><span style="color: #82AAFF;"> test</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #C3E88D;">four</span><span style="color: #89DDFF;">&quot;);</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span> temp</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">10</span><span style="color: #89DDFF;">] = {</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">};</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memcpy</span><span style="color: #89DDFF;">(&amp;</span><span>temp</span><span style="color: #89DDFF;">,</span><span> test</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">data</span><span style="color: #89DDFF;">(), sizeof(</span><span>temp</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">size_t</span><span> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span> i </span><span style="color: #89DDFF;">&lt; sizeof(</span><span>temp</span><span style="color: #89DDFF;">);</span><span> i</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> printf</span><span style="color: #89DDFF;">(&quot;</span><span style="color: #F07178;">%02X</span><span style="color: #89DDFF;">&quot;,</span><span> temp</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">]);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> printf</span><span style="color: #89DDFF;">(&quot;</span><span>\n</span><span style="color: #C3E88D;">size(</span><span style="color: #F07178;">%lu</span><span style="color: #C3E88D;">), capacity(</span><span style="color: #F07178;">%lu</span><span style="color: #C3E88D;">)</span><span>\n</span><span style="color: #89DDFF;">&quot;,</span><span> test</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">size</span><span style="color: #89DDFF;">(),</span><span> test</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">capacity</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span></code></pre> <p>Again, this doesn't trigger a crash:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>Program returned: 0</span></span> <span class="giallo-l"><span>Program stdout</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span>666F7572000000000000</span></span> <span class="giallo-l"><span>size(4), capacity(15)</span></span></code></pre> <p><em><a rel="external" href="https://godbolt.org/z/hdjK1WoKo">https://godbolt.org/z/hdjK1WoKo</a></em></p> <p>So the four-character string actually has a total capacity of 15, i.e. the <code>std::string</code> has over-allocated memory. If you tried initializing an <code>std::vector</code> with an explicit initializer list it would allocate only the exact number of elements needed... why are strings different?</p> <p>Let's take a look at LLVM's libc++ <code>string</code> code (simplified version will follow):</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#ifdef</span><span style="color: #82AAFF;"> _LIBCPP_BIG_ENDIAN</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __short_mask </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0x01</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __long_mask </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0x1ul</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#else</span><span style="color: #464B5D;font-style: italic;"> // _LIBCPP_BIG_ENDIAN</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __short_mask </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0x80</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __long_mask </span><span style="color: #89DDFF;">= ~(</span><span style="color: #82AAFF;">size_type</span><span style="color: #89DDFF;">(~</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">) &gt;&gt;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#endif</span><span style="color: #464B5D;font-style: italic;"> // _LIBCPP_BIG_ENDIAN</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> enum</span><span style="color: #89DDFF;"> {</span><span>__min_cap</span><span style="color: #89DDFF;"> = (sizeof(</span><span style="color: #F07178;">__long</span><span style="color: #89DDFF;">) -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">)/sizeof(</span><span style="color: #F07178;">value_type</span><span style="color: #89DDFF;">) &gt;</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> ?</span></span> <span class="giallo-l"><span style="color: #F07178;"> (sizeof(__long) - 1)/sizeof(value_type) : 2</span><span style="color: #89DDFF;">};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> struct</span><span style="color: #FFCB6B;"> __short</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> value_type </span><span>__data_</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">__min_cap</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #C792EA;"> struct</span></span> <span class="giallo-l"><span style="color: #F07178;"> :</span><span style="color: #FFCB6B;"> __padding</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">value_type</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> unsigned char</span><span style="color: #F07178;"> __size_</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#else</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> struct</span><span style="color: #FFCB6B;"> __long</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> size_type __cap_</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> size_type __size_</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> pointer __data_</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#ifdef</span><span style="color: #82AAFF;"> _LIBCPP_BIG_ENDIAN</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __short_mask </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0x80</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __long_mask </span><span style="color: #89DDFF;">= ~(</span><span style="color: #82AAFF;">size_type</span><span style="color: #89DDFF;">(~</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">) &gt;&gt;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#else</span><span style="color: #464B5D;font-style: italic;"> // _LIBCPP_BIG_ENDIAN</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __short_mask </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0x01</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static const</span><span> size_type __long_mask </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0x1ul</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#endif</span><span style="color: #464B5D;font-style: italic;"> // _LIBCPP_BIG_ENDIAN</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> enum</span><span style="color: #89DDFF;"> {</span><span>__min_cap</span><span style="color: #89DDFF;"> = (sizeof(</span><span style="color: #F07178;">__long</span><span style="color: #89DDFF;">) -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">)/sizeof(</span><span style="color: #F07178;">value_type</span><span style="color: #89DDFF;">) &gt;</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> ?</span></span> <span class="giallo-l"><span style="color: #F07178;"> (sizeof(__long) - 1)/sizeof(value_type) : 2</span><span style="color: #89DDFF;">};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> struct</span><span style="color: #FFCB6B;"> __short</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> union</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> unsigned char</span><span style="color: #F07178;"> __size_</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> value_type __lx</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"><span style="color: #F07178;"> value_type </span><span>__data_</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">__min_cap</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#endif</span><span style="color: #464B5D;font-style: italic;"> // _LIBCPP_ABI_ALTERNATE_STRING_LAYOUT</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> union</span><span style="color: #FFCB6B;"> __ulx</span><span style="color: #89DDFF;">{</span><span style="color: #F07178;">__long __lx</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> __short __lxx</span><span style="color: #89DDFF;">;};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> enum</span><span style="color: #89DDFF;"> {</span><span>__n_words</span><span style="color: #89DDFF;"> = sizeof(</span><span style="color: #F07178;">__ulx</span><span style="color: #89DDFF;">) / sizeof(</span><span style="color: #F07178;">size_type</span><span style="color: #89DDFF;">)};</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> struct</span><span style="color: #FFCB6B;"> __raw</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> size_type </span><span>__words</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">__n_words</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> struct</span><span style="color: #FFCB6B;"> __rep</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> union</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> __long __l</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> __short __s</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> __raw __r</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> };</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> __compressed_pair</span><span style="color: #89DDFF;">&lt;</span><span>__rep</span><span style="color: #89DDFF;">,</span><span> allocator_type</span><span style="color: #89DDFF;">&gt;</span><span> __r_</span><span style="color: #89DDFF;">;</span></span></code></pre> <p><a rel="external" href="https://github.com/landaire/llvm-project/blob/f860d2e78cca40e2b8697a22a92efebfea409256/libcxx/include/string#L731-L803">GitHub link.</a></p> <p><em>Yuck</em>. This is not simple to understand, but we can see that there's some interesting inline buffer stuff going on with the <code>__short</code> struct at least. I've rewritten this code to be <em>definitely not</em> the same layout as an <code>std::string</code> but shows what's going on easier to understand:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #C792EA;">class</span><span style="color: #FFCB6B;"> string</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span> short_optimization</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">15</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #C792EA;"> size_t</span><span style="color: #F07178;"> len</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> size_t</span><span style="color: #F07178;"> capacity</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">heap_longer_string</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p><code>std::string</code> has an optimization for short strings that allows it to avoid a heap allocation. Unfortunately, this means that for small strings we won't detect small out-of-bounds reads (OOBR) similar to the <code>std::vector</code> problem. And similar to the <code>std::vector</code> problem, heap-allocated strings grow in a way that over-allocates memory to reduce the number of allocations every time you push more data to it.</p> <h2 id="fixes"><a class="zola-anchor" href="#fixes" aria-label="Anchor link for: fixes" >#</a > Fixes</h2> <h3 id="the-one-weird-trick"><a class="zola-anchor" href="#the-one-weird-trick" aria-label="Anchor link for: the-one-weird-trick" >#</a > The "One Weird Trick"</h3> <p>This isn't really documented anywhere, but <code>std::vector</code> actually does have ASAN enlightenment to detect this exact problem we're talking about:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // The following functions are no-ops outside of AddressSanitizer mode.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // We call annotatations only for the default Allocator because other allocators</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // may not meet the AddressSanitizer alignment constraints.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // See the documentation for __sanitizer_annotate_contiguous_container for more details.</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#ifndef</span><span style="color: #82AAFF;"> _LIBCPP_HAS_NO_ASAN</span></span> <span class="giallo-l"><span> _LIBCPP_CONSTEXPR_SINCE_CXX20</span></span> <span class="giallo-l"><span style="color: #C792EA;"> void</span><span style="color: #82AAFF;"> __annotate_contiguous_container</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">const void *</span><span style="font-style: italic;">__beg</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> const void *</span><span style="font-style: italic;">__end</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> const void *</span><span style="font-style: italic;">__old_mid</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> const void *</span><span style="font-style: italic;">__new_mid</span><span style="color: #89DDFF;">)</span><span style="color: #C792EA;"> const</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (!</span><span style="color: #82AAFF;">__libcpp_is_constant_evaluated</span><span style="color: #89DDFF;">() &amp;&amp;</span><span> __beg </span><span style="color: #89DDFF;">&amp;&amp;</span><span style="color: #FFCB6B;"> is_same</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">allocator_type</span><span style="color: #89DDFF;">,</span><span style="color: #FFCB6B;"> __default_allocator_type</span><span style="color: #89DDFF;">&gt;::</span><span>value</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> __sanitizer_annotate_contiguous_container</span><span style="color: #89DDFF;">(</span><span>__beg</span><span style="color: #89DDFF;">,</span><span> __end</span><span style="color: #89DDFF;">,</span><span> __old_mid</span><span style="color: #89DDFF;">,</span><span> __new_mid</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#else</span></span> <span class="giallo-l"><span> _LIBCPP_CONSTEXPR_SINCE_CXX20 _LIBCPP_HIDE_FROM_ABI</span></span> <span class="giallo-l"><span style="color: #C792EA;"> void</span><span style="color: #82AAFF;"> __annotate_contiguous_container</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">const void*</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> const void*</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> const void*</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> const void*</span><span style="color: #89DDFF;">)</span><span style="color: #C792EA;"> const</span><span> _NOEXCEPT </span><span style="color: #89DDFF;">{}</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#endif</span></span></code></pre> <p><a rel="external" href="https://github.com/llvm/llvm-project/blob/b7a2ff296352acacdc413d6f3f912e50f90ebb31/libcxx/include/vector#L740-L750">GitHub Link</a>.</p> <p>When the <code>_LIBCPP_HAS_NO_ASAN</code> preprocessor macro is not defined it has some logic for informing ASAN about the contiguous region of a vector as well as the contiguous region that's allocated but yet-unused. The preprocessor macro is only defined when:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span># if !__has_feature(address_sanitizer)</span></span> <span class="giallo-l"><span># define _LIBCPP_HAS_NO_ASAN</span></span> <span class="giallo-l"><span># endif</span></span></code></pre> <p><a rel="external" href="https://github.com/llvm/llvm-project/blob/7ca3444fba7344b375f147b77252adbf71f464e0/libcxx/include/__config#LL479-L481C11">GitHub Link</a>.</p> <p>So why the hell aren't we getting this enlightenment? We never defined it ourselves.</p> <p>I don't even remember why I tried this, but it seems you need to explicitly pass <code>-stdlib=libc++</code> and just like magic, it works. Our example for an <code>std::vector</code> will now detect the small OOBR with this flag:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>=================================================================</span></span> <span class="giallo-l"><span>==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000075 at pc 0x5640917cd227 bp 0x7ffe3ad2ee30 sp 0x7ffe3ad2e600</span></span> <span class="giallo-l"><span>READ of size 8 at 0x602000000075 thread T0</span></span> <span class="giallo-l"><span> #0 0x5640917cd226 in __asan_memcpy /root/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3</span></span> <span class="giallo-l"><span> #1 0x56409180aa25 in main /app/example.cpp:17:5</span></span> <span class="giallo-l"><span> #2 0x7f35ef2f1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)</span></span> <span class="giallo-l"><span> #3 0x56409174935d in _start (/app/output.s+0x2135d)</span></span></code></pre> <p><em><a rel="external" href="https://godbolt.org/z/ao64GcT7f">https://godbolt.org/z/ao64GcT7f</a>.</em></p> <p>There are some downsides to this:</p> <ul> <li><code>std::vector</code> is the only container with this enlightenment. But it does automatically update the poisoned region whenever we insert, remove, or clear the elements which is very nice.</li> <li>Our <code>std::string</code> example still doesn't detect the OOBR with this compiler flag: <a rel="external" href="https://godbolt.org/z/3bj6nnGxG">https://godbolt.org/z/3bj6nnGxG</a>.</li> <li>You may not want to enable this if you have modules you cannot compile with this flag that may share an <code>std::vector</code>. The module that's not enlightened would not poison memory correctly, leading to false-positives. There may be ABI compatability issues as well.</li> </ul> <h3 id="code-level-fix"><a class="zola-anchor" href="#code-level-fix" aria-label="Anchor link for: code-level-fix" >#</a > Code-Level Fix</h3> <p><a rel="external" href="https://github.com/google/sanitizers/wiki/AddressSanitizerManualPoisoning">Google's ASAN wiki</a> provides documentation for how to manually poison memory yourself using <code>ASAN_POISON_MEMORY_REGION(addr, size)</code> and <code>ASAN_UNPOISON_MEMORY_REGION(addr, size)</code>. We can use this as follows:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#if</span><span style="color: #FFCB6B;"> __has_feature</span><span>(</span><span style="color: #82AAFF;">address_sanitizer</span><span>) </span><span style="color: #89DDFF;">||</span><span style="color: #89DDFF;font-style: italic;"> defined</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">__SANITIZE_ADDRESS__</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">sanitizer/asan_interface.h</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#endif</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">const uint8_t</span><span style="color: #89DDFF;"> *</span><span>extra_start </span><span style="color: #89DDFF;">=</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">data</span><span style="color: #89DDFF;">() +</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">size</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #C792EA;">size_t</span><span> extra_len </span><span style="color: #89DDFF;">=</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">capacity</span><span style="color: #89DDFF;">() -</span><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">size</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#if</span><span style="color: #FFCB6B;"> __has_feature</span><span>(</span><span style="color: #82AAFF;">address_sanitizer</span><span>) </span><span style="color: #89DDFF;">||</span><span style="color: #89DDFF;font-style: italic;"> defined</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">__SANITIZE_ADDRESS__</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #82AAFF;">ASAN_POISON_MEMORY_REGION</span><span style="color: #89DDFF;">(</span><span>extra_start</span><span style="color: #89DDFF;">,</span><span> extra_len</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#endif</span></span></code></pre> <p>Or if for some reason you don't want to pull in the ASAN interface you could just copy data to a vector with the appropriate pre-allocated size:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #FFCB6B;">std</span><span style="color: #89DDFF;">::</span><span>vector</span><span style="color: #89DDFF;">&lt;</span><span style="color: #C792EA;">uint8_t</span><span style="color: #89DDFF;">&gt;</span><span> copied</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span>copied</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">reserve</span><span style="color: #89DDFF;">(</span><span>fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">size</span><span style="color: #89DDFF;">());</span></span> <span class="giallo-l"><span style="color: #FFCB6B;">std</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">copy</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">begin</span><span style="color: #89DDFF;">(),</span></span> <span class="giallo-l"><span> fuzzed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">end</span><span style="color: #89DDFF;">(),</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> std</span><span style="color: #89DDFF;">::</span><span style="color: #82AAFF;">back_inserter</span><span style="color: #89DDFF;">(</span><span>copied</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #82AAFF;">assert_eq</span><span style="color: #89DDFF;">(</span><span>copied</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">capacity</span><span style="color: #89DDFF;">(),</span><span> copied</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">size</span><span style="color: #89DDFF;">())</span></span></code></pre> <p>Copying data sucks, but do what works for you. <em>Note:</em> avoid using <code>std::vector::shrink_to_fit()</code>. Per <a rel="external" href="https://en.cppreference.com/w/cpp/container/vector/shrink_to_fit">cppreference</a>, "It depends on the implementation whether the request is fulfilled."</p> <h2 id="other-tricks"><a class="zola-anchor" href="#other-tricks" aria-label="Anchor link for: other-tricks" >#</a > Other Tricks</h2> <p>While I have your attention I wanted to call out some other things you can do to improve your ability to find bugs.</p> <h3 id="failfast"><a class="zola-anchor" href="#failfast" aria-label="Anchor link for: failfast" >#</a > Failfast</h3> <p>If you have an abstraction that's intended to safely handle memory, why wait for your test or fuzzing harness to find the bug? For example, in my opinion a <code>span</code> implementation should never be given an invalid memory range. We can enforce this at its constructor by checking if the provided memory region is poisoned and trigger a controlled crash:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="cpp"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">#include</span><span style="color: #89DDFF;"> &lt;</span><span style="color: #C3E88D;">sanitizer/asan_interface.h</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;">template</span><span style="color: #89DDFF;">&lt;</span><span style="color: #C792EA;">typename</span><span style="color: #FFCB6B;"> T</span><span style="color: #89DDFF;">&gt;</span></span> <span class="giallo-l"><span style="color: #C792EA;">class</span><span style="color: #FFCB6B;"> span</span><span style="color: #89DDFF;">&lt;</span><span style="color: #FFCB6B;">T</span><span style="color: #89DDFF;">&gt; {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> public</span><span style="color: #89DDFF;">:</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> span</span><span style="color: #89DDFF;">(</span><span style="color: #FFCB6B;">T</span><span style="color: #C792EA;"> *</span><span style="font-style: italic;">data</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> size_t</span><span style="font-style: italic;"> count</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #82AAFF;">__asan_region_is_poisoned</span><span style="color: #89DDFF;">(static_cast&lt;</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;">*&gt;(</span><span style="color: #F07178;">data</span><span style="color: #89DDFF;">),</span><span style="color: #F07178;"> count </span><span style="color: #89DDFF;">* sizeof(</span><span style="color: #F07178;">T</span><span style="color: #89DDFF;">))) {</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> assert</span><span style="color: #89DDFF;">(false);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h3 id="sanitizer-recovery"><a class="zola-anchor" href="#sanitizer-recovery" aria-label="Anchor link for: sanitizer-recovery" >#</a > Sanitizer Recovery</h3> <p>Whenever you repro a bug with ASAN, try to remember to compile with <code>-fsanitize-recover=address</code>. This will essentially allow the application to recover and continue running when ASAN triggers a violation.</p> <p>It may seem like a strange choice, but let's say you have a small out-of-bounds read that looks relatively boring. That bug may be hiding something much juicier that's triggered <em>only</em> when the OOBR occurs! <code>-fsanitize-recover=address</code> will allow the application to run until either a hard fault occurs or the application exits, but will still print any ASAN violation that occurs along the way.</p> <h2 id="closing-thoughts"><a class="zola-anchor" href="#closing-thoughts" aria-label="Anchor link for: closing-thoughts" >#</a > Closing Thoughts</h2> <p>ASAN is a very powerful tool, but has limitations on what it can provide you by default. When using abstractions that allocate memory for you, keep in mind that they may reduce ASAN's effectiveness. The examples shown here were exclusively C++ examples, but can be easily applied to other languages as well.</p> <p>Rust, for example, has zero ASAN englightenment at the time of this blog post. That means <code>unsafe { }</code> code manually reading from a <code>Vec&lt;T&gt;</code>'s data pointer or passing the pointer across an FFI boundary may run into similar false-negatives. Ditto for the <code>String</code> type, <code>OSString</code>, etc.</p> 2021-12-27T00:00:00+00:00 2021-12-27T00:00:00+00:00 Unknown https://landaire.net/reversing-yaesu-firmware-encryption/ <h2 id="background"><a class="zola-anchor" href="#background" aria-label="Anchor link for: background" >#</a > Background</h2> <p>Ham radios are a fun way of learning how the radio spectrum works, and more importantly: they're embedded devices that may run weird chips/firmware! I got curious how easy it'd be to hack my Yaesu FT-70D, so I started doing some research. The only existing resource I could find for Yaesu radios was <a rel="external" href="https://www.reddit.com/r/amateurradio/comments/cwoxvv/yaesu_ft1dr_custom_firmware/">someone who posted about custom firmware for their Yaesu FT1DR</a>.</p> <p>The Reddit poster mentioned that if you go through the firmware update process via USB, the radio exposes its Renesas H8SX microcontroller and can have its flash modified using the Renesas SDK. This was a great start and looked promising, but the SDK wasn't trivial to configure and I wasn't sure if it could even dump the firmware... so I didn't use it for very long.</p> <h2 id="other-avenues"><a class="zola-anchor" href="#other-avenues" aria-label="Anchor link for: other-avenues" >#</a > Other Avenues</h2> <p>Yaesu provides a Windows application on their website that can be used to update a radio's firmware over USB:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;firmware_page.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;firmware_page.04f1c2d731a66b56.png" alt="" width="477" height="500" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>The zip contains the following files:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>1.2 MB Wed Nov 8 14:34:38 2017 FT-70D_ver111(USA).exe</span></span> <span class="giallo-l"><span>682 KB Tue Nov 14 00:00:00 2017 FT-70DR_DE_Firmware_Update_Information_ENG_1711-B.pdf</span></span> <span class="giallo-l"><span>8 MB Mon Apr 23 00:00:00 2018 FT-70DR_DE_MAIN_Firmware_Ver_Up_Manual_ENG_1804-B.pdf</span></span> <span class="giallo-l"><span>3.2 MB Fri Jan 6 17:54:44 2012 HMSEUSBDRIVER.exe</span></span> <span class="giallo-l"><span>160 KB Sat Sep 17 15:14:16 2011 RComms.dll</span></span> <span class="giallo-l"><span>61 KB Tue Oct 23 17:02:08 2012 RFP_USB_VB.dll</span></span> <span class="giallo-l"><span>1.7 MB Fri Mar 29 11:54:02 2013 vcredist_x86.exe</span></span></code></pre> <p>I'm going to assume that the file specific to the FT-70D, "FT-70D_ver111(USA).exe", will likely contain our firmware image. A PE file (.exe) can contain binary resources in the <code>.rsrc</code> section -- let's see what this file contains using <a rel="external" href="https://github.com/horsicq/XPEViewer">XPEViewer</a>:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;exe_resources.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;exe_resources.eb5799636ce0b537.png" alt="" width="800" height="538" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>Resources fit into one of many different <a rel="external" href="https://docs.microsoft.com/en-us/windows/win32/menurc/resource-types">resource types</a>, but a firmware image would likely be put into a custom type. What's this last entry, "23"? Expanding that node we have a couple of interesting items:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;start_update.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;start_update.fd44b49d8f5a99d8.png" alt="" width="800" height="538" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p><code>RES_START_DIALOG</code> is a custom string the updater shows when preparing an update, so we're in the right area!</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;res_update_info.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;res_update_info.800caa6b65c3a1dc.png" alt="" width="800" height="538" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p><code>RES_UPDATE_INFO</code> looks like just binary data -- perhaps this is our firmware image? Unfortunately looking at the "Strings" tab in XPEViewer or running the <code>strings</code> utility over this data doesn't yield anything legible. The firmware image is likely encrypted.</p> <h2 id="reverse-engineering-the-binary"><a class="zola-anchor" href="#reverse-engineering-the-binary" aria-label="Anchor link for: reverse-engineering-the-binary" >#</a > Reverse Engineering the Binary</h2> <p>Let's load the update utility into our disassembler of choice to figure out how the data is encrypted. I'll be using IDA Pro, but Ghidra (free!), radare2 (free!), or Binary Ninja are all great alternatives. Where possible in this article I'll try to show my rewritten code in C since it'll be a closer match to the decompiler and machine code output.</p> <p>A good starting point is the the string we saw above, <code>RES_UPDATE_INFO</code>. Windows applications load resources by calling one of the <a rel="external" href="https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-findresourcea"><code>FindResource*</code> APIs</a>. <code>FindResourceA</code> has the following parameters:</p> <ol> <li><code>HMODULE</code>, a handle to the module to look for the resource in.</li> <li><code>lpName</code>, the resource name.</li> <li><code>lpType</code>, the resource type.</li> </ol> <p>In our disassembler we can find references to the <code>RES_UPDATE_INFO</code> string and look for calls to <code>FindResourceA</code> with this string as an argument in the <code>lpName</code> position.</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;update_info_xrefs.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;update_info_xrefs.ad5bc7241aaf966e.png" alt="" width="800" height="314" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>We find a match in a function which happens to find/load <em>all</em> of these custom resources under type <code>23</code>.</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;load_resource_decompiler_output.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;load_resource_decompiler_output.ed358a98d7f4ab3b.png" alt="" width="800" height="609" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>We know where the data is loaded by the application, so now we need to see how it's used. Doing static analysis from this point may be more work than it's worth if the data isn't operated on immediately. To speed things up I'm going to use a debugger's assistance. I used WinDbg's <a rel="external" href="https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/time-travel-debugging-overview">Time Travel Debugging</a> to record an execution trace of the updater while it updates my radio. TTD is an invaluable tool and I'd highly recommend using it when possible. <a rel="external" href="https://rr-project.org/">rr</a> is an alternative for non-Windows platforms.</p> <p>The decompiler output shows this function copies the <code>RES_UPDATE_INFO</code> resource to a dynamically allocated buffer. The <code>qmemcpy()</code> is inlined and represented by a <code>rep movsd</code> instruction in the disassembly, so we need to break at this instruction and examine the <code>edi</code> register's (destination address) value. I set a breakpoint by typing <code>bp 0x406968</code> in the command window, allow the application to continue running, and when it breaks we can see the <code>edi</code> register value is <code>0x2be5020</code>. We can now set a memory access breakpoint at this address using <code>ba r4 0x2be5020</code> to break whenever this data is read.</p> <p>Our breakpoint is hit at <code>0x4047DC</code> -- back to the disassembler. In IDA you can press <code>G</code> and enter this address to jump to it. We're finally at what looks like the data processing function:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;deobfuscate_function.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;deobfuscate_function.70d489a87307371e.png" alt="" width="800" height="367" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>We broke when dereferencing <code>v2</code> and IDA has automatically named the variable it's being assigned to as <code>Time</code>. The <code>Time</code> variable is passed to another function which formats it as a string with <code>%Y%m%d%H%M%S</code>. Let's clean up the variables to reflect what we know:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #C792EA;">bool</span><span> __thiscall </span><span style="color: #82AAFF;">sub_4047B0</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">encrypted_data</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // esi</span></span> <span class="giallo-l"><span style="color: #F07178;"> BOOL v3</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // ebx</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">v4</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // eax</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">time_string</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+Ch] [ebp-320h] BYREF</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> v7</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+10h] [ebp-31Ch] BYREF</span></span> <span class="giallo-l"><span style="color: #FFCB6B;"> __time64_t</span><span style="color: #F07178;"> Time</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+14h] [ebp-318h] BYREF</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;">__thiscall </span><span style="color: #89DDFF;">**</span><span style="color: #F07178;">v9</span><span style="color: #89DDFF;">)(</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;"> *,</span><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;">);</span><span style="color: #464B5D;font-style: italic;"> // [esp+1Ch] [ebp-310h]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> v10</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+328h] [ebp-4h]</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // rename v2 to encrypted_data</span></span> <span class="giallo-l"><span style="color: #F07178;"> encrypted_data </span><span style="color: #89DDFF;">= *(</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> **)(*((</span><span style="color: #F07178;">_DWORD </span><span style="color: #89DDFF;">*)</span><span style="color: #82AAFF;">AfxGetModuleState</span><span style="color: #89DDFF;">() +</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) +</span><span style="color: #F78C6C;"> 160</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> Time </span><span style="color: #89DDFF;">= *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)</span><span style="color: #F07178;">encrypted_data</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // rename this function and its 2nd parameter</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> format_timestamp</span><span style="color: #89DDFF;">(&amp;</span><span style="color: #F07178;">Time</span><span style="color: #89DDFF;">, (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)&amp;</span><span style="color: #F07178;">time_string</span><span style="color: #89DDFF;">, &quot;</span><span style="color: #C3E88D;">%Y%m</span><span style="color: #F07178;">%d</span><span style="color: #C3E88D;">%H%M</span><span style="color: #F07178;">%S</span><span style="color: #89DDFF;">&quot;);</span></span> <span class="giallo-l"><span style="color: #F07178;"> v10 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> off_4244A0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> sub_4082C0</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">time_string</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">=</span><span style="color: #82AAFF;"> sub_408350</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">encrypted_data </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x100000</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> this </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 92</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0x100000</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">v7</span><span style="color: #89DDFF;">) ==</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v4 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> time_string </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 16</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> off_4244A0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v10 </span><span style="color: #89DDFF;">= -</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #82AAFF;"> _InterlockedDecrement</span><span style="color: #89DDFF;">((</span><span style="color: #C792EA;">volatile signed</span><span style="color: #F07178;"> __int32 </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">time_string </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) &lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> (*(</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;">__stdcall </span><span style="color: #89DDFF;">**)(</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *))(**(</span><span style="color: #F07178;">_DWORD </span><span style="color: #89DDFF;">**)</span><span style="color: #F07178;">v4 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">))(</span><span style="color: #F07178;">v4</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F07178;"> v3</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>The timestamp string is passed to <code>sub_4082c0</code> on line 20 and the remainder of the update image is passed to <code>sub_408350</code> on line 21. I'm going to focus on <code>sub_408350</code> since I only care about the firmware data right now and based on how this function is called I'd wager its signature is something like:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #FFCB6B;">status_t</span><span style="color: #82AAFF;"> sub_408350</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">uint8_t</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">input</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> size_t</span><span style="font-style: italic;"> input_len</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> uint8_t</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">output</span><span style="color: #89DDFF;">,</span><span> output_len</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> size_t</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">out_data_processed</span><span style="color: #89DDFF;">);</span></span></code></pre> <p>Let's see what it does:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #C792EA;">int</span><span> __stdcall </span><span style="color: #82AAFF;">sub_408350</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">a1</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> int</span><span style="font-style: italic;"> a2</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> int</span><span style="font-style: italic;"> a3</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> int</span><span style="font-style: italic;"> a4</span><span style="color: #89DDFF;">,</span><span> _DWORD </span><span style="color: #89DDFF;">*</span><span style="font-style: italic;">a5</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> v5</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // edx</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> v7</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // ebp</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> v8</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // esi</span></span> <span class="giallo-l"><span style="color: #C792EA;"> unsigned int</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // ecx</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #F07178;"> v10</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // al</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">v11</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // eax</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> v13</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+10h] [ebp-54h]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">64</span><span style="color: #89DDFF;">];</span><span style="color: #464B5D;font-style: italic;"> // [esp+20h] [ebp-44h] BYREF</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> a2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memset</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">v14</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">, sizeof(</span><span style="color: #F07178;">v14</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> a2 </span><span style="color: #89DDFF;">&lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;">LABEL_13:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">a5 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v7</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v8 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v5</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">&gt;=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #F07178;"> v8 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v13 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">-</span><span style="color: #F07178;"> v8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 0x40</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v10 </span><span style="color: #89DDFF;">= *</span><span style="color: #F07178;">a1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] = (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)*</span><span style="color: #F07178;">a1 </span><span style="color: #89DDFF;">&gt;&gt;</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 0x40</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 0x20</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 0x10</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v14</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v10 </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ++</span><span style="color: #F07178;">a1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> sub_407980</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">v14</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v8 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;">LABEL_12:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v13 </span><span style="color: #89DDFF;">&lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> goto</span><span style="color: #F07178;"> LABEL_13</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v13</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #F07178;"> v11 </span><span style="color: #89DDFF;">= &amp;</span><span>v14</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">v8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">&gt;=</span><span style="color: #F07178;"> a4 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> -</span><span style="color: #F78C6C;">101</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">a3 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v7</span><span style="color: #89DDFF;">++) =</span><span> v11</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">6</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>v11</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">5</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>v11</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>v11</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">3</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>v11</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>v11</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (*</span><span style="color: #F07178;">v11 </span><span style="color: #89DDFF;">| (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * *(</span><span style="color: #F07178;">v11 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">))))))))))))));</span></span> <span class="giallo-l"><span style="color: #F07178;"> v11 </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v8 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> goto</span><span style="color: #F07178;"> LABEL_12</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>I think we've found our function that starts decrypting the firmware! To confirm, we want to see what the <code>output</code> parameter's data looks like before and after this function is called. I set a breakpoint in the debugger at the address where it's called (<code>bp 0x404842</code>) and put the value of the <code>edi</code> register (<code>0x2d7507c</code>) in WinDbg's memory window.</p> <p>Here's the data before:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;data_before.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;data_before.b3909a2025b89ba1.png" alt="" width="648" height="789" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>After stepping over the function call:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;data_after.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;data_after.7ab8bc7523fb6c44.png" alt="" width="646" height="800" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>We can dump this data to a file using the following command:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>.writemem C:\users\lander\documents\maybe_deobfuscated.bin 0x2d7507c L100000</span></span></code></pre> <p>010 Editor has a built-in strings utility (Search &gt; Find Strings...) and if we scroll down a bit in the results, we have real strings that appear in my radio!</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;hex_editor_strings.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;hex_editor_strings.21f4f024c6f70e82.png" alt="" width="800" height="751" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>At this point if we were just interested in getting the plaintext firmware we could stop messing with the binary and <a href="https://landaire.net/reversing-yaesu-firmware-encryption/#loading-the-firmware-in-ida-pro">load the firmware into IDA Pro</a>... but I want to know how this encryption works.</p> <h2 id="encryption-details"><a class="zola-anchor" href="#encryption-details" aria-label="Anchor link for: encryption-details" >#</a > Encryption Details</h2> <p>Just to recap from the last section:</p> <ul> <li>We've identified our data processing routine (let's call this function <code>decrypt_update_info</code>).</li> <li>We know that the first 4 bytes of the update data are a Unix timestamp that's formatted as a string and used for an unknown purpose.</li> <li>We know which function begins decrypting our firmware image.</li> </ul> <h3 id="data-decryption"><a class="zola-anchor" href="#data-decryption" aria-label="Anchor link for: data-decryption" >#</a > Data Decryption</h3> <p>Let's look at the firmware image decryption routine with some renamed variables:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #C792EA;">int</span><span> __thiscall </span><span style="color: #82AAFF;">decrypt_data</span><span style="color: #89DDFF;">(</span></span> <span class="giallo-l"><span style="color: #C792EA;"> void</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">encrypted_data</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="font-style: italic;"> encrypted_data_len</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">output_data</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="font-style: italic;"> output_data_len</span><span style="color: #89DDFF;">,</span></span> <span class="giallo-l"><span> _DWORD </span><span style="color: #89DDFF;">*</span><span style="font-style: italic;">bytes_written</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> data_len</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // edx</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> output_index</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // ebp</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> block_size</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // esi</span></span> <span class="giallo-l"><span style="color: #C792EA;"> unsigned int</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // ecx</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #F07178;"> encrypted_byte</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // al</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">idata</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // eax</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> remaining_data</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+10h] [ebp-54h]</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">64</span><span style="color: #89DDFF;">];</span><span style="color: #464B5D;font-style: italic;"> // [esp+20h] [ebp-44h] BYREF</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F07178;"> data_len </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> encrypted_data_len</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> output_index </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memset</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">inflated_data</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">, sizeof(</span><span style="color: #F07178;">inflated_data</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> encrypted_data_len </span><span style="color: #89DDFF;">&lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;">LABEL_13:</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">bytes_written </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> output_index</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> block_size </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> data_len</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> data_len </span><span style="color: #89DDFF;">&gt;=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #F07178;"> block_size </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> remaining_data </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> data_len </span><span style="color: #89DDFF;">-</span><span style="color: #F07178;"> block_size</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // inflate 1 byte of input data to 8 bytes of its bit representation</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 0x40</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> encrypted_byte </span><span style="color: #89DDFF;">= *</span><span style="color: #F07178;">encrypted_data</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] = (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)*</span><span style="color: #F07178;">encrypted_data </span><span style="color: #89DDFF;">&gt;&gt;</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 0x40</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 0x20</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 0x10</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">] = (</span><span style="color: #F07178;">encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) !=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> encrypted_byte </span><span style="color: #89DDFF;">&amp;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ++</span><span style="color: #F07178;">encrypted_data</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // do something with the inflated data</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> sub_407980</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> inflated_data</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> block_size </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> break</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;">LABEL_12:</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> remaining_data </span><span style="color: #89DDFF;">&lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> goto</span><span style="color: #F07178;"> LABEL_13</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> data_len </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> remaining_data</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // deflate the data back to bytes</span></span> <span class="giallo-l"><span style="color: #F07178;"> idata </span><span style="color: #89DDFF;">= &amp;</span><span>inflated_data</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">block_size</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> output_index </span><span style="color: #89DDFF;">&gt;=</span><span style="color: #F07178;"> output_data_len </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #89DDFF;"> -</span><span style="color: #F78C6C;">101</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> output_data</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">output_index</span><span style="color: #89DDFF;">++] =</span><span> idata</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">6</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>idata</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">5</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>idata</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>idata</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">3</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>idata</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span>idata</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (*</span><span style="color: #F07178;">idata </span><span style="color: #89DDFF;">| (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * *(</span><span style="color: #F07178;">idata </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">))))))))))))));</span></span> <span class="giallo-l"><span style="color: #F07178;"> idata </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">block_size </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> goto</span><span style="color: #F07178;"> LABEL_12</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>At a high level this routine:</p> <ol> <li>Allocates a 64-byte scratch buffer</li> <li>Checks if there's any data to process. If not, set the output variable <code>out_data_processed</code> to the number of bytes processed and return 0x0 (<code>STATUS_SUCCESS</code>)</li> <li>Loop over the input data in 8-byte chunks and inflate each byte to its bit representation.</li> <li>After the 8-byte chunk is inflated, call <code>sub_407980</code> with the scratch buffer and <code>0</code> as arguments.</li> <li>Loop over the scratch buffer and reassemble 8 sequential bits as 1 byte, then set the byte at the appropriate index in the output buffer.</li> </ol> <p>Lots going on here, but let's take a look at step #3. If we take the bytes <code>0xAA</code> and <code>0x77</code> which have bit representations of <code>0b1010_1010</code> and <code>0b0111_1111</code> respectively and inflate them to a 16-byte array using the algorithm above, we end up with:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>| 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | | 8 | 9 | A | B | C | D | E | F |</span></span> <span class="giallo-l"><span>|---|---|---|---|---|---|---|---|----|---|---|---|---|---|---|---|---|</span></span> <span class="giallo-l"><span>| 1 | 0 | 1 | 0 | 1 | 0 | 1 | 0 | | 0 | 1 | 1 | 1 | 0 | 1 | 1 | 1 |</span></span></code></pre> <p>This routine does this process over 8 bytes at a time and completely fills the 64-byte scratch buffer with 1s and 0s just like the table above.</p> <p>Now let's look at step #4 and see what's going on in <code>sub_407980</code>:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span>_BYTE </span><span style="color: #89DDFF;">*</span><span>__thiscall </span><span style="color: #82AAFF;">sub_407980</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">,</span><span> _BYTE </span><span style="color: #89DDFF;">*</span><span style="font-style: italic;">a2</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> int</span><span style="font-style: italic;"> a3</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // long list of stack vars removed for clarity</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">= (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v4 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> a3</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] = (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v28 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v31 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">; *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)&amp;</span><span style="color: #F07178;">v33 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v18 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v8 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E50</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(&amp;</span><span style="color: #F07178;">v34 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v10 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E51</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v11 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(&amp;</span><span style="color: #F07178;">v35 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v10</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F07178;"> v11 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v12 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v11 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E52</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v13 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(&amp;</span><span style="color: #F07178;">v36 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v12</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F07178;"> v13 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v14 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v13 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 7</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E53</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v15 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v38</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v14</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F07178;"> v15 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v16 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v15 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E54</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v17 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> v38</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v16</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #F07178;"> v17 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v18 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v17 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E55</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_424E80</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v34 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v35 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v36 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v37 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_424F80</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">6</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">7</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">3</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">5</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">3</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_425080</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">12</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">13</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">9</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">10</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">11</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_425180</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">18</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">14</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">19</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">15</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">16</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">17</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">5</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_425280</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">24</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">20</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">25</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">21</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">22</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">23</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">6</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_425380</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">30</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">26</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">31</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">27</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">7</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_425480</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">36</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">37</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">33</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">34</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">35</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span style="color: #F07178;"> v19 </span><span style="color: #89DDFF;">= (</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)(&amp;</span><span style="color: #F07178;">unk_425681 </span><span style="color: #89DDFF;">- (</span><span style="color: #F07178;">_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">a2</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> v20 </span><span style="color: #89DDFF;">= &amp;</span><span style="color: #F07178;">unk_425680 </span><span style="color: #89DDFF;">- (</span><span style="color: #F07178;">_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">a2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v33 </span><span style="color: #89DDFF;">= *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span style="color: #F07178;">dword_425580</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">42</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">38</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">43</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">39</span><span style="color: #89DDFF;">]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">40</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">41</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> a2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v4 </span><span style="color: #89DDFF;">&lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v30 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">v20</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] ^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v19</span><span style="color: #89DDFF;">[(</span><span style="color: #F07178;">_DWORD</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">] ^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[&amp;</span><span style="color: #F07178;">unk_425682 </span><span style="color: #89DDFF;">- (</span><span style="color: #F07178;">_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">a2</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">3</span><span style="color: #89DDFF;">] ^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">byte_425683 </span><span style="color: #89DDFF;">-</span><span style="color: #F07178;"> a2</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">v30</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v30 </span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v29 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v24 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v22 </span><span style="color: #89DDFF;">= *</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">v20</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v22</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v24</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v25 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">] = *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">) ^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[(</span><span style="color: #F07178;">_DWORD</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">v19 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v25</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v26 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">30</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">30</span><span style="color: #89DDFF;">] = *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) ^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[&amp;</span><span style="color: #F07178;">unk_425682 </span><span style="color: #89DDFF;">- (</span><span style="color: #F07178;">_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">a2 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v26</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v27 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">31</span><span style="color: #89DDFF;">] = *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) ^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">byte_425683 </span><span style="color: #89DDFF;">-</span><span style="color: #F07178;"> a2 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v27</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">v29</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v29 </span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> a3</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">=</span><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #F07178;"> v4 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v31 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v23 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v31 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;"> &lt;= -</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ++</span><span style="color: #F07178;">v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">v31</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v23 </span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F07178;"> result</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>Oof. This is substantially more complicated but looks like the meat of the decryption algorithm. We'll refer to this function, <code>sub_407980</code>, as <code>decrypt_data</code> from here on out. We can see what may be an immediate roadblock: this function takes in a C++ <code>this</code> pointer (line 5) and performs bitwise operations on one of its members (line 18, 23, etc.). For now let's call this class member <code>key</code> and come back to it later.</p> <p>This function is the perfect example of decompilers emitting less than ideal code as a result of compiler optimizations/code reordering. For me, TTD was essential for following how data flows through this function. It took a few hours of banging my head against IDA and WinDbg to understand, but this function can be broken up into 3 high-level phases:</p> <ol> <li>Building a 48-byte buffer containing our key material XOR'd with data from a static table.</li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 1</span><span style="color: #C792EA;"> int</span><span> v33</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 2</span><span style="color: #C792EA;"> unsigned</span><span> __int8 v34</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+44h] [ebp-34h]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 3</span><span style="color: #C792EA;"> unsigned</span><span> __int8 v35</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+45h] [ebp-33h]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 4</span><span style="color: #C792EA;"> unsigned</span><span> __int8 v36</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+46h] [ebp-32h]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 5</span><span style="color: #C792EA;"> unsigned</span><span> __int8 v37</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // [esp+47h] [ebp-31h]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 6</span><span style="color: #C792EA;"> char</span><span> v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">44</span><span style="color: #89DDFF;">];</span><span style="color: #464B5D;font-style: italic;"> // [esp+48h] [ebp-30h]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 7</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 8</span><span> v3 </span><span style="color: #89DDFF;">= (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)</span><span>this</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;"> 9</span><span> v4 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">10</span><span> v5 </span><span style="color: #89DDFF;">=</span><span> a3</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">11</span><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] = (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)</span><span>this</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">12</span><span> v28 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">13</span><span> v31 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 15</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">14</span><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">15</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">16</span><span style="color: #464B5D;font-style: italic;"> // The end statement of this loop is strange -- it&#39;s writing a byte somewhere? come back</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">17</span><span style="color: #464B5D;font-style: italic;"> // to this later</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">18</span><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">; *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)&amp;</span><span style="color: #F07178;">v33 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v18 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">19</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">20</span><span style="color: #464B5D;font-style: italic;"> // v28 Starts at 0 but is incremented by 1 during each iteration of the outer `while` loop</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">21</span><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">22</span><span style="color: #464B5D;font-style: italic;"> // v5 is our last argument which was 0</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">23</span><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">24</span><span style="color: #464B5D;font-style: italic;"> // overwrite v7 with v4, which begins at 15 but is decremented by 1 during each iteration</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">25</span><span style="color: #464B5D;font-style: italic;"> // of the outer `while` loop</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">26</span><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">27</span><span style="color: #464B5D;font-style: italic;"> // left-hand side of the xor, *(_BYTE *)(i + 48 * v7 + v3 + 4)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">28</span><span style="color: #464B5D;font-style: italic;"> // v3 in this context is our `this` pointer + 4, giving us *(_BYTE *)(i + (48 * v7) + this-&gt;maybe_key)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">29</span><span style="color: #464B5D;font-style: italic;"> // so the left-hand side of the xor is likely indexing into our key material:</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">30</span><span style="color: #464B5D;font-style: italic;"> // this-&gt;maybe_key[i + 48 * loop_multiplier]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">31</span><span style="color: #464B5D;font-style: italic;"> //</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">32</span><span style="color: #464B5D;font-style: italic;"> // right-hand side of the xor, a2[(unsigned __int8)byte_424E50[i] + 31]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">33</span><span style="color: #464B5D;font-style: italic;"> // a2 is our input encrypted data, and byte_424E50 is some static data</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">34</span><span style="color: #464B5D;font-style: italic;"> //</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">35</span><span style="color: #464B5D;font-style: italic;"> // this full statement can be rewritten as:</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">36</span><span style="color: #464B5D;font-style: italic;"> // v8 = this-&gt;maybe_key[i + 48 * loop_multiplier] ^ encrypted_data[byte_424E50[i] + 31]</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">37</span><span style="color: #F07178;"> v8 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E50</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">38</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">39</span><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">40</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">41</span><span style="color: #464B5D;font-style: italic;"> // write the result of `key_data ^ input_data` to a scratch buffer (v34)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">42</span><span style="color: #464B5D;font-style: italic;"> // v34 looks to be declared as the wrong type. v33 is actually a 52-byte buffer</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">43</span><span style="color: #89DDFF;"> *(&amp;</span><span style="color: #F07178;">v34 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">44</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">45</span><span style="color: #464B5D;font-style: italic;"> // repeat the above 5 more times</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">46</span><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( !</span><span style="color: #F07178;">v5 </span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">47</span><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">48</span><span style="color: #F07178;"> v10 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v9 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E51</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">49</span><span style="color: #F07178;"> v11 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> v28</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">50</span><span style="color: #89DDFF;"> *(&amp;</span><span style="color: #F07178;">v35 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v10</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">51</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">52</span><span style="color: #464B5D;font-style: italic;"> // snip</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">53</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">54</span><span style="color: #464B5D;font-style: italic;"> // v18 gets written to the scratch buffer at the end of the loop...</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">55</span><span style="color: #F07178;"> v18 </span><span style="color: #89DDFF;">= *(</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)(</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;"> v17 </span><span style="color: #89DDFF;">+</span><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 9</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E55</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">56</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">57</span><span style="color: #464B5D;font-style: italic;"> // this was probably the *real* last statement of the for-loop</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">58</span><span style="color: #464B5D;font-style: italic;"> // i.e. for (int i = 0; i &lt; 48; i += 6)</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">59</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span aria-hidden="true" class="giallo-ln" style="color: #3B3F5180;">60</span><span style="color: #89DDFF;"> }</span></span></code></pre> <ol start="2"> <li>Build a 32-byte buffer containing data from an 0x800-byte static table, with indexes into this table originating from indices built from the buffer in step #1. Combine this 32-byte buffer with the 48-byte buffer in step #1.</li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // dword_424E80 -- some static data</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // (unsigned __int8)v38[0] + 2) -- the original decompiler output has this wrong.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // v33 should be a 52-byte buffer which consumes v38, so v38 is actually data set up in</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // the loop above.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // (32 * v34 + 2) -- v34 should be some data from the above loop as well. This looks like</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // a binary shift optimization</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // repeat with different multipliers...</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> //</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // This can be simplified as:</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // size_t index = ((v34 &lt;&lt; 5) + 2)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // | ((v37[1] &lt;&lt; 4) + 2)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // | ((v35 &lt;&lt; 3) + 2)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // | ((v36 &lt;&lt; 2) + 2)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // | ((v37 &lt;&lt; 1) + 2)</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // | v38[0]</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // v32[1] = *(int*)(((char*)&amp;dword_424e80)[index])</span></span> <span class="giallo-l"><span> v32</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] = *(</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;"> *)((</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)&amp;</span><span>dword_424E80</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> + (((</span><span style="color: #C792EA;">unsigned</span><span> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;"> *</span><span> v34 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">16</span><span style="color: #89DDFF;"> * (</span><span style="color: #C792EA;">unsigned</span><span> __int8</span><span style="color: #89DDFF;">)</span><span>v38</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> *</span><span> v35 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;"> *</span><span> v36 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) | (</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;"> *</span><span> v37 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">)));</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // repeat 7 times. each time the reference to dword_424e80 is shifted forward by 0x100.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // note: if you do the math, the next line uses dword_424e80[64]. We shift by 0x100 instead of</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // 64 because is misleading because dword_424e80 is declared as an int array -- not a char array.</span></span></code></pre> <ol start="3"> <li>Iterate over the next 8 bytes of the output buffer. For each byte index of the output buffer, index into yet <em>another</em> static 32-byte buffer and use that as the index into the table from step #2. XOR this value with the value at the current index of the output buffer.</li> </ol> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Not really sure why this calculation works like this. It ends up just being `unk_425681`&#39;s address</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// when it&#39;s used.</span></span> <span class="giallo-l"><span> v19 </span><span style="color: #89DDFF;">= (</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *)(&amp;</span><span>unk_425681 </span><span style="color: #89DDFF;">- (</span><span>_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span>a2</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> v20 </span><span style="color: #89DDFF;">= &amp;</span><span>unk_425680 </span><span style="color: #89DDFF;">- (</span><span>_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span>a2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// v4 is a number that&#39;s decremented on every iteration -- possibly bytes remaining?</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span> v4 </span><span style="color: #89DDFF;">&lt;=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Loop over 8 bytes</span></span> <span class="giallo-l"><span style="color: #F07178;"> v30 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Start XORing the output bytes with some of the data generated in step 2.</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> //</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Cheating here and doing the &quot;draw the rest of the owl&quot;, but if you observe that</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // we use `unk_425680` (v20), `unk_425681` (v19), `unk_425682`, and byte_425683, the</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // the decompiler generated suboptimal code. We can simplify to be relative to just</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // `unk_425680`</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> //</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // *result ^= step2_bytes[unk_425680[output_index] - 1]</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">v20</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // result[1] ^= step2_bytes[unk_425680[output_index] + 1]</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">] ^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>v19</span><span style="color: #89DDFF;">[(</span><span style="color: #F07178;">_DWORD</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // result[2] ^= step2_bytes[unk_425680[output_index] + 2]</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">2</span><span style="color: #89DDFF;">] ^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[&amp;</span><span style="color: #F07178;">unk_425682 </span><span style="color: #89DDFF;">- (</span><span style="color: #F07178;">_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">a2</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // result[3] ^= step2_bytes[unk_425680[output_index] + 3]</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">3</span><span style="color: #89DDFF;">] ^= *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">byte_425683 </span><span style="color: #89DDFF;">-</span><span style="color: #F07178;"> a2</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Move our our pointer to the output buffer forward by 4 bytes</span></span> <span class="giallo-l"><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">v30</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v30 </span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> else</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // loop over 8 bytes</span></span> <span class="giallo-l"><span style="color: #F07178;"> v29 </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // grab the byte at 0x20, we&#39;re swapping this later</span></span> <span class="giallo-l"><span style="color: #F07178;"> v24 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">32</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // v22 = *result ^ step2_bytes[unk_425680[output_index] - 1]</span></span> <span class="giallo-l"><span style="color: #F07178;"> v22 </span><span style="color: #89DDFF;">= *</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">v20</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // I&#39;m not sure why the output buffer pointer is incremented here, but</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // this really makes the code ugly</span></span> <span class="giallo-l"><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Write the byte generated above to offset 0x1c</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v22</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // Write the byte at 0x20 to offset 0</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v24</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // rinse, repeat with slightly different offsets each time...</span></span> <span class="giallo-l"><span style="color: #F07178;"> v25 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">] = *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">) ^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[(</span><span style="color: #F07178;">_DWORD</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">v19 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v25</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v26 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">30</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">30</span><span style="color: #89DDFF;">] = *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) ^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[&amp;</span><span style="color: #F07178;">unk_425682 </span><span style="color: #89DDFF;">- (</span><span style="color: #F07178;">_UNKNOWN </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">a2 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v26</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v27 </span><span style="color: #89DDFF;">=</span><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">31</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> result</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">31</span><span style="color: #89DDFF;">] = *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) ^ *((</span><span style="color: #F07178;">_BYTE </span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">v32 </span><span style="color: #89DDFF;">+ (</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>result</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">byte_425683 </span><span style="color: #89DDFF;">-</span><span style="color: #F07178;"> a2 </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> *(</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">) =</span><span style="color: #F07178;"> v27</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> --</span><span style="color: #F07178;">v29</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> v29 </span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span></code></pre> <p>The inner loop in the <code>else</code> branch above I think is kind of nasty, so here it is reimplemented in Rust:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="rust"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">for</span><span> _</span><span style="color: #F78C6C;"> in 0</span><span style="color: #89DDFF;">..</span><span style="color: #F78C6C;">8</span><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;"> // we swap the `first` index with the `second`</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span>first</span><span style="color: #89DDFF;">,</span><span> second</span><span style="color: #89DDFF;">)</span><span style="color: #F78C6C;"> in</span><span style="color: #89DDFF;"> (</span><span style="color: #F78C6C;">0x1c</span><span style="color: #89DDFF;">..=</span><span style="color: #F78C6C;">0x1f</span><span style="color: #89DDFF;">).</span><span style="color: #82AAFF;">zip</span><span style="color: #89DDFF;">(</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">..</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> original_byte_idx</span><span style="color: #89DDFF;"> =</span><span> first</span><span style="color: #89DDFF;"> +</span><span> output_offset</span><span style="color: #89DDFF;"> +</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> original_byte</span><span style="color: #89DDFF;"> =</span><span> outbuf</span><span style="color: #89DDFF;">[</span><span>original_byte_idx</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> constant</span><span style="color: #89DDFF;"> =</span><span> unk_425680</span><span style="color: #89DDFF;">[</span><span>output_offset</span><span style="color: #89DDFF;"> +</span><span> second</span><span style="color: #89DDFF;">]</span><span style="color: #F78C6C;"> as</span><span style="color: #FFCB6B;"> usize</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> new_byte</span><span style="color: #89DDFF;"> =</span><span> outbuf</span><span style="color: #89DDFF;">[</span><span>output_offset</span><span style="color: #89DDFF;"> +</span><span> second</span><span style="color: #89DDFF;">] ^</span><span> generated_bytes_from_step2</span><span style="color: #89DDFF;">[</span><span>constant</span><span style="color: #89DDFF;"> -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> let</span><span> new_idx</span><span style="color: #89DDFF;"> =</span><span> original_byte_idx</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> outbuf</span><span style="color: #89DDFF;">[</span><span>new_idx</span><span style="color: #89DDFF;">] =</span><span> new_byte</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> outbuf</span><span style="color: #89DDFF;">[</span><span>output_offset</span><span style="color: #89DDFF;"> +</span><span> second</span><span style="color: #89DDFF;">] =</span><span> original_byte</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span> output_offset</span><span style="color: #89DDFF;"> +=</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h3 id="key-setup"><a class="zola-anchor" href="#key-setup" aria-label="Anchor link for: key-setup" >#</a > Key Setup</h3> <p>We now need to figure out how our key is set up for usage in the <code>decrypt_data</code> function above. My approach here is to set a breakpoint at the first instruction to use the key data in <code>decrypt_data</code>, which happens to be <code>xor bl, [ecx + esi + 4]</code> at <code>0x4079d3</code>. I know this is where we should break because in the decompiler output the left-hand side of the XOR operation, the key material, will be the <em>second</em> operand in the <code>xor</code> instruction. As a reminder, the decompiler shows the XOR as:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span>v8 </span><span style="color: #89DDFF;">= *(</span><span>_BYTE </span><span style="color: #89DDFF;">*)(</span><span>i </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;"> *</span><span> v7 </span><span style="color: #89DDFF;">+</span><span> v3 </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">) ^</span><span> a2</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E50</span><span style="color: #89DDFF;">[</span><span>i</span><span style="color: #89DDFF;">] +</span><span style="color: #F78C6C;"> 31</span><span style="color: #89DDFF;">];</span></span></code></pre> <p>The breakpoint is hit and the address we're loading from is <code>0x19f5c4</code>. We can now lean on TTD to help us figure out where this data was last written. Set a 1-byte memory write breakpoint at this address using <code>ba w1 0x19f5c4</code> and press the <code>Go Back</code> button. If you've never used TTD before, this operates exactly as <code>Go</code> would except <em>backwards</em> in the program's trace. In this case it will execute backward until either a breakpoint is hit, interrupt is generated, or we reach the start of the program.</p> <p>Our memory write breakpoint gets triggered at <code>0x4078fb</code> -- a function we haven't seen before. The callstack shows that it's called not terribly far from the <code>decrypt_update_info</code> routine!</p> <ul> <li><code>set_key</code> (we are here -- function is originally called <code>sub_407850</code>)</li> <li><code>sub_4082c0</code></li> <li><code>decrypt_update_info</code></li> </ul> <p>What's <code>sub_4082c0</code>?</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;timestamp_inflation.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;timestamp_inflation.5e46a11b487ec708.png" alt="" width="444" height="248" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>Not a lot to see here except the same function called 4 times, initially with the timestamp string as an argument in position 0, a 64-byte buffer, and bunch of function calls using the return value of the last as its input. The function our debugger just broke into takes only 1 argument, which is the 64-byte buffer used across <em>all</em> of these function calls. So what's going on in <code>sub_407e80</code>?</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;inflate_timestamp.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;inflate_timestamp.65ac73080c0654a8.png" alt="" width="712" height="800" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>The bitwise operations that look supsiciously similar to the byte to bit inflation we saw above with the firmware data. After renaming things and performing some loop unrolling, things look like this:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// sub_407850</span></span> <span class="giallo-l"><span style="color: #C792EA;">int</span><span style="color: #82AAFF;"> inflate_timestamp</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">timestamp_str</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">output</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> uint8_t</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">key</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">size_t</span><span style="color: #F07178;"> output_idx </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> output_idx </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> output_idx</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> uint8_t</span><span style="color: #F07178;"> ts_byte </span><span style="color: #89DDFF;">= *</span><span style="color: #F07178;">timestamp_str</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;">ts_byte</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #F07178;"> timestamp_str </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">int</span><span style="color: #F07178;"> bit_idx </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> bit_idx </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> bit_idx</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> uint8_t</span><span style="color: #F07178;"> bit_value </span><span style="color: #89DDFF;">= (</span><span style="color: #F07178;">ts_byte </span><span style="color: #89DDFF;">&gt;&gt; (</span><span style="color: #F78C6C;">7</span><span style="color: #89DDFF;"> -</span><span style="color: #F07178;"> bit_idx</span><span style="color: #89DDFF;">)) &amp;</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span> output</span><span style="color: #89DDFF;">[(</span><span style="color: #F07178;">output_idx </span><span style="color: #89DDFF;">*</span><span style="color: #F78C6C;"> 8</span><span style="color: #89DDFF;">) +</span><span style="color: #F07178;"> bit_idx</span><span style="color: #89DDFF;">] ^=</span><span style="color: #F07178;"> bit_value</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> set_key</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> key</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> decrypt_data</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> output</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F07178;"> timestamp_str</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// sub_4082c0</span></span> <span class="giallo-l"><span style="color: #C792EA;">int</span><span style="color: #82AAFF;"> set_key_to_timestamp</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">timestamp_str</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> uint8_t</span><span> key_buf</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">64</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memset</span><span style="color: #89DDFF;">(&amp;</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">, sizeof(</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">str_ptr </span><span style="color: #89DDFF;">=</span><span style="color: #82AAFF;"> inflate_timestamp</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> timestamp_str</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">static_key_1</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> str_ptr </span><span style="color: #89DDFF;">=</span><span style="color: #82AAFF;"> inflate_timestamp</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> str_ptr</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">static_key_2</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #F07178;"> str_ptr </span><span style="color: #89DDFF;">=</span><span style="color: #82AAFF;"> inflate_timestamp</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> str_ptr</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">static_key_3</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> inflate_timestamp</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> str_ptr</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">static_key_4</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> set_key</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">this</span><span style="color: #89DDFF;">, &amp;</span><span style="color: #F07178;">key_buf</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>The only mystery now is the <code>set_key</code> routine:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #C792EA;">int</span><span> __thiscall </span><span style="color: #82AAFF;">set_key</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">char</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> const void</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">a2</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #F07178;"> _DWORD </span><span style="color: #89DDFF;">*</span><span style="color: #F07178;">v2</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // ebp</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #89DDFF;"> *</span><span style="color: #F07178;">v3</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // edx</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // al</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #F07178;"> v5</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // al</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #F07178;"> v6</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // al</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span style="color: #F07178;"> v7</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // al</span></span> <span class="giallo-l"><span style="color: #C792EA;"> int</span><span style="color: #F07178;"> result</span><span style="color: #89DDFF;">;</span><span style="color: #464B5D;font-style: italic;"> // eax</span></span> <span class="giallo-l"><span style="color: #C792EA;"> char</span><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">56</span><span style="color: #89DDFF;">];</span><span style="color: #464B5D;font-style: italic;"> // [esp+Ch] [ebp-3Ch] BYREF</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #82AAFF;"> qmemcpy</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">v10</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> a2</span><span style="color: #89DDFF;">, sizeof(</span><span style="color: #F07178;">v10</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"><span style="color: #F07178;"> v2 </span><span style="color: #89DDFF;">= &amp;</span><span style="color: #F07178;">unk_424DE0</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> this </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 5</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> do</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v4 </span><span style="color: #89DDFF;">=</span><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> qmemcpy</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">v10</span><span style="color: #89DDFF;">, &amp;</span><span>v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">],</span><span style="color: #F78C6C;"> 0x1Bu</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">27</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v4</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v5 </span><span style="color: #89DDFF;">=</span><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> qmemcpy</span><span style="color: #89DDFF;">(&amp;</span><span>v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">], &amp;</span><span>v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">],</span><span style="color: #F78C6C;"> 0x1Bu</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">55</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v5</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> ( *</span><span style="color: #F07178;">v2 </span><span style="color: #89DDFF;">==</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span style="color: #F07178;"> v6 </span><span style="color: #89DDFF;">=</span><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> qmemcpy</span><span style="color: #89DDFF;">(</span><span style="color: #F07178;">v10</span><span style="color: #89DDFF;">, &amp;</span><span>v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">],</span><span style="color: #F78C6C;"> 0x1Bu</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">27</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v6</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v7 </span><span style="color: #89DDFF;">=</span><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> qmemcpy</span><span style="color: #89DDFF;">(&amp;</span><span>v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">], &amp;</span><span>v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">],</span><span style="color: #F78C6C;"> 0x1Bu</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> v10</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">55</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> v7</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> result </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 6</span><span style="color: #89DDFF;"> )</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> {</span></span> <span class="giallo-l"><span> v3</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">-</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">] =</span><span> v10</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E20</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> v3</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] =</span><span> v10</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E21</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> v3</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">] =</span><span> v10</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E22</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> v3</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">] =</span><span> v10</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E23</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> v3</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 3</span><span style="color: #89DDFF;">] =</span><span> v10</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E24</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span> v3</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result </span><span style="color: #89DDFF;">+</span><span style="color: #F78C6C;"> 4</span><span style="color: #89DDFF;">] =</span><span> v10</span><span style="color: #89DDFF;">[(</span><span style="color: #C792EA;">unsigned</span><span style="color: #F07178;"> __int8</span><span style="color: #89DDFF;">)</span><span>byte_424E25</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">result</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> ++</span><span style="color: #F07178;">v2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #F07178;"> v3 </span><span style="color: #89DDFF;">+=</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> while</span><span style="color: #89DDFF;"> ( (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">v2 </span><span style="color: #89DDFF;">&lt; (</span><span style="color: #C792EA;">int</span><span style="color: #89DDFF;">)</span><span style="color: #F07178;">byte_424E20 </span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #F07178;"> result</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>This function is a bit more straightforward to reimplement:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="c"><span class="giallo-l"><span style="color: #C792EA;">void</span><span style="color: #82AAFF;"> set_key</span><span style="color: #89DDFF;">(</span><span style="color: #C792EA;">void</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">this</span><span style="color: #89DDFF;">,</span><span style="color: #C792EA;"> uint8_t</span><span style="color: #89DDFF;"> *</span><span style="font-style: italic;">key</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> uint8_t</span><span> scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">56</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memcpy</span><span style="color: #89DDFF;">(&amp;</span><span style="color: #F07178;">scrambled_key</span><span style="color: #89DDFF;">,</span><span style="color: #F07178;"> key</span><span style="color: #89DDFF;">, sizeof(</span><span style="color: #F07178;">scrambled_key</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">size_t</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 16</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> size_t</span><span style="color: #F07178;"> swap_rounds </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> if</span><span style="color: #89DDFF;"> (((</span><span style="color: #C792EA;">uint32_t</span><span style="color: #89DDFF;">*)</span><span style="color: #F07178;">GLOBAL_KEY_ROUNDS_CONFIG</span><span style="color: #89DDFF;">)[</span><span style="color: #F07178;">i</span><span style="color: #89DDFF;">] ==</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #F07178;"> swap_rounds </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 2</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">int</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F07178;"> swap_rounds</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> i</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> uint8_t</span><span style="color: #F07178;"> temp </span><span style="color: #89DDFF;">=</span><span> scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">0</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memcpy</span><span style="color: #89DDFF;">(&amp;</span><span style="color: #F07178;">scrambled_key</span><span style="color: #89DDFF;">, &amp;</span><span>scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">1</span><span style="color: #89DDFF;">],</span><span style="color: #F78C6C;"> 27</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">27</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> temp</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #F07178;"> temp </span><span style="color: #89DDFF;">=</span><span> scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #82AAFF;"> memcpy</span><span style="color: #89DDFF;">(&amp;</span><span>scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">28</span><span style="color: #89DDFF;">], &amp;</span><span>scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">29</span><span style="color: #89DDFF;">],</span><span style="color: #F78C6C;"> 27</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F78C6C;">55</span><span style="color: #89DDFF;">] =</span><span style="color: #F07178;"> temp</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> for</span><span style="color: #89DDFF;"> (</span><span style="color: #C792EA;">size_t</span><span style="color: #F07178;"> swap_idx </span><span style="color: #89DDFF;">=</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> swap_idx </span><span style="color: #89DDFF;">&lt;</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">;</span><span style="color: #F07178;"> swap_idx</span><span style="color: #89DDFF;">++) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> size_t</span><span style="color: #F07178;"> scrambled_key_idx </span><span style="color: #89DDFF;">=</span><span> GLOBAL_KEY_SWAP_TABLE</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">swap_idx</span><span style="color: #89DDFF;">] -</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #C792EA;"> size_t</span><span style="color: #F07178;"> persistent_key_idx </span><span style="color: #89DDFF;">=</span><span style="color: #F07178;"> swap_idx </span><span style="color: #89DDFF;">+ (</span><span style="color: #F07178;">i </span><span style="color: #89DDFF;">*</span><span style="color: #F78C6C;"> 48</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span> this</span><span style="color: #89DDFF;">-&gt;</span><span>key</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">persistent_key_idx</span><span style="color: #89DDFF;">] =</span><span> scrambled_key</span><span style="color: #89DDFF;">[</span><span style="color: #F07178;">scrambled_key_idx</span><span style="color: #89DDFF;">];</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> }</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre><h3 id="putting-everything-together"><a class="zola-anchor" href="#putting-everything-together" aria-label="Anchor link for: putting-everything-together" >#</a > Putting Everything Together</h3> <ol> <li>Update data is read from resources</li> <li>The first 4 bytes of the update data are a Unix timestamp</li> <li>The timestamp is formatted as a string, has each byte inflated to its bit representation, and decrypted using some static key material as the key. This is repeated 4 times with the output of the previous run used as an input to the next.</li> <li>The resulting data from step 3 is used as a key for decrypting data.</li> <li>The remainder of the firmware update image is inflated to its bit representation 8 bytes at a time and uses the dynamic key and 3 other unique static lookup tables to transform the inflated input data.</li> <li>The result from step 5 is deflated back into its <em>byte</em> representation.</li> </ol> <p>My decryption utility which completely reimplements this magic in Rust can be found at <a rel="external" href="https://github.com/landaire/porkchop">https://github.com/landaire/porkchop</a>.</p> <h2 id="loading-the-firmware-in-ida-pro"><a class="zola-anchor" href="#loading-the-firmware-in-ida-pro" aria-label="Anchor link for: loading-the-firmware-in-ida-pro" >#</a > Loading the Firmware in IDA Pro</h2> <p>IDA thankfully supports disassembling the Hitachi/Rensas H8SX architecture. If we load our firmware into IDA and select the "Hitachi H8SX advanced" processsor type, use the default options for the "Disassembly memory organization" dialog, then finally choose "H8S/2215R" in the "Choose the device name" dialog...:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;rom_initial_load.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;rom_initial_load.883b3f9fcc2c1b5d.png" alt="" width="800" height="686" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>We don't have shit. I'm not an embedded systems expert, but my friend suggested that the first few DWORDs look like they may belong to a vector table. If we right-click address 0 and select "Double word 0x142A", we can click on the new variable <code>unk_142A</code> to go to its location. Press <code>C</code> at this location to define it as Code, then press <code>P</code> to create a function at this address:</p> <a href="https:&#x2F;&#x2F;landaire.net&#x2F;img&#x2F;yaesu&#x2F;firmware_analyzed.png" data-lightbox> <img src="https:&#x2F;&#x2F;landaire.net&#x2F;processed_images&#x2F;firmware_analyzed.7bd41c86909a3a9f.png" alt="" width="800" height="686" class="lightbox-img rounded-lg shadow-sm mx-auto block" /> </a> <p>We can now reverse engineer our firmware :)</p> 2016-04-22T15:01:55-07:00 2016-04-22T15:01:55-07:00 Unknown https://landaire.net/apple-imageio-dos/ <p>Last Updated: April 5, 2017 to address some incompleteness and errors. You can view the revision history <a rel="external" href="https://github.com/landaire/landaire.net">here</a>.</p> <p>Application Services is a framework in iOS and OS X which provides what's known as the Image I/O framework. ImageIO itself is a collection of utilities and data types for parsing various image formats. It's used in many OS X and iOS applications including:</p> <ul> <li>Tweetbot</li> <li>Safari</li> <li>Messages</li> <li>Mail</li> <li>Preview</li> </ul> <p>Some popular applications that <em>do not</em> use ImageIO include:</p> <ul> <li>Chrome</li> <li>Firefox</li> <li>Telegram</li> </ul> <p>Given the impact of media processing bugs such as Stagefright I decided that this would be a good target for fuzzing. I created a simple application that uses some various features of ImageIO, grabbed a small PNG I had on my desktop which happened to be a screenshot, and let afl run.</p> <p>I checked on my fuzzer after 30 minutes and already a crash!</p> <p>Here's the code used: <a rel="external" href="https://gist.github.com/landaire/63e9a94f197c345335d165a16cea6a64">Gist</a> (this is almost verbatim Apple's ImageIO sample).</p> <p><strong>Note: a tl;dr is available at the bottom</strong></p> <h1 id="png-structure"><a class="zola-anchor" href="#png-structure" aria-label="Anchor link for: png-structure" >#</a > PNG Structure</h1> <p>Before I dive into the vulnerability I'll talk a little bit about the structure of PNG files. PNGs are comprised of the header and chunks with chunks starting at offset 0x8 in the file. Each chunk contains the chunk type (a 4-character ASCII string), some data, and a CRC32 of that data.</p> <p>The chunk structure can be represented as the following Go struct:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="go"><span class="giallo-l"><span style="color: #89DDFF;">type</span><span style="color: #FFCB6B;"> Chunk</span><span style="color: #89DDFF;"> struct {</span></span> <span class="giallo-l"><span> Length</span><span style="color: #C792EA;"> uint32</span></span> <span class="giallo-l"><span> Type</span><span style="color: #89DDFF;"> [</span><span style="color: #F78C6C;">4</span><span style="color: #89DDFF;">]</span><span style="color: #C792EA;">byte</span></span> <span class="giallo-l"><span> Data</span><span style="color: #89DDFF;"> []</span><span style="color: #C792EA;">byte</span></span> <span class="giallo-l"><span> CRC</span><span style="color: #C792EA;"> uint32</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>The PNG specification defines 4 "critical" chunk types and 14 "ancillary" chunk types for a total of 18 formally defined types <a rel="external" href="https://www.w3.org/TR/PNG/#4Concepts.FormatTypes">which you can find here</a>. Any chunks not specified here are considered unknown chunks that can be handled by the decoder.</p> <h1 id="the-vulnerability"><a class="zola-anchor" href="#the-vulnerability" aria-label="Anchor link for: the-vulnerability" >#</a > The vulnerability</h1> <p>Inspecting the crash log of the application makes it pretty obvious that we have a null pointer dereference:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>Exception Type: EXC_BAD_ACCESS (SIGSEGV)</span></span> <span class="giallo-l"><span>Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000</span></span> <span class="giallo-l"><span>Triggered by Thread: 0</span></span></code></pre> <p>The stack trace tells us a little more though:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>Thread 0 name: Dispatch queue: com.apple.main-thread</span></span> <span class="giallo-l"><span>Thread 0 Crashed:</span></span> <span class="giallo-l"><span>0 ImageIO 0x18699a618 0x186994000 + 0x6618 // read_user_chunk_callback + 0x13c</span></span> <span class="giallo-l"><span>1 ImageIO 0x18699a610 0x186994000 + 0x6610 // read_user_chunk_callback + 0x134</span></span> <span class="giallo-l"><span>2 ImageIO 0x18699a328 0x186994000 + 0x6328 // png_handle_unknown + 0x44</span></span> <span class="giallo-l"><span>3 ImageIO 0x18699961c 0x186994000 + 0x561c // _cg_png_read_info + 0x11c</span></span> <span class="giallo-l"><span>4 ImageIO 0x186997b38 0x186994000 + 0x3b38 // initImagePng + 0x654</span></span> <span class="giallo-l"><span>5 ImageIO 0x186996c98 0x186994000 + 0x2c98 // makeImagePlus + 0x4e4</span></span> <span class="giallo-l"><span>6 ImageIO 0x186996240 0x186994000 + 0x2240 // CGImageSourceCreateImageAtIndex + 0xb8</span></span> <span class="giallo-l"><span>7 UIKit 0x18ad473d8 0x18abe0000 + 0x1673d8 // _UIImageRefFromData + 0x1a8</span></span> <span class="giallo-l"><span>8 UIKit 0x18aed2ff8 0x18abe0000 + 0x2f2ff8 // -[UIImage(UIImagePrivate) _initWithData:preserveScale:cache:] + 0x78</span></span> <span class="giallo-l"><span>9 UIKit 0x18ad471fc 0x18abe0000 + 0x1671fc // +[UIImage imageWithData:] + 0x48</span></span></code></pre> <p><code>read_user_chunk_callback</code> is where the crash occurs. A quick Google search for this and <code>png_handle_unknown</code> yields some results in libpng. Some more digging around the source code lead me to conclude that Apple uses libpng under the hood for the PNG files and the crashing image has an unknown (non-standard) chunk that's related to the crash. <a rel="external" href="https://github.com/glennrp/libpng/blob/e744ee13382d810246e94256c488bb7ebc000789/pngrutil.c#L2826"><code>png_handle_unknown</code></a> will, if <code>PNG_READ_UNKNOWN_CHUNKS_SUPPORTED</code> is enabled, <a rel="external" href="https://github.com/glennrp/libpng/blob/e744ee13382d810246e94256c488bb7ebc000789/pngrutil.c#L2859-L2865">call a user function callback</a> for the application to handle the chunk. So <code>read_user_chunk_callback</code> is the name of Apple's custom chunk handler.</p> <p>A quick diff between the input file and crasher revealed that the input file had a chunk with data size of 0. What's happening here is:</p> <ul> <li>libpng which is compiled to read unknow chunks hits an unknown chunk</li> <li>ImageIO has an unknown chunk callback setup</li> <li>Since the size of the chunk data is 0, libpng gives the callback a null data chunk pointer</li> <li>The data section is used without first checking the size of the value of the pointer</li> </ul> <p>Earlier I mentioned that the image I grabbed was some random screenshot I had sitting on my desktop. It turns out that screenshots taken on OS X include a custom <code>iDOT</code> chunk which contain some additional 28 bytes of data. The structure for the screenshots I took were of form:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="go"><span class="giallo-l"><span>num_entries</span><span style="color: #C792EA;"> uint32</span><span style="color: #89DDFF;"> (</span><span>usually</span><span style="color: #F78C6C;"> 0x00000002</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span>unk1</span><span style="color: #C792EA;"> uint32</span><span style="color: #89DDFF;"> (</span><span>usually</span><span style="color: #F78C6C;"> 0x00000000</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span>width</span><span style="color: #C792EA;"> uint32</span></span> <span class="giallo-l"><span>unk2</span><span style="color: #C792EA;"> uint32</span><span style="color: #89DDFF;"> (</span><span>usually</span><span style="color: #F78C6C;"> 0x00000028</span><span style="color: #89DDFF;">)</span></span> <span class="giallo-l"><span>width</span><span style="color: #C792EA;"> uint32</span></span> <span class="giallo-l"><span>width</span><span style="color: #C792EA;"> uint32</span></span> <span class="giallo-l"><span>unk3</span><span style="color: #C792EA;"> uint32</span></span></code></pre> <p>(Yes, the width appears to be repeated 3 times)</p> <p>I couldn't figure out what the unknown data is and wasn't too motivated to reverse engineer the rest of the function so if anyone reading this has any ideas, please ping me on Twitter (@landaire).</p> <p>This was the offending chunk which is handled by this callback. Taking any screenshot and setting the size of the <code>iDOT</code> chunk to 0 is enough to trigger the bug.</p> <h1 id="impact"><a class="zola-anchor" href="#impact" aria-label="Anchor link for: impact" >#</a > Impact</h1> <p>This bug can be triggered any time a PNG file is being processed. So really, anything that processes the image can be caused to crash. Some examples:</p> <ul> <li>Receiving the malicious image via text message with message previews turned on will crash SpringBoard on iOS</li> <li>Entering a message thread containing the image will crash the messages app</li> <li>Opening an email containing the image will crash the mail client</li> <li>Posting a link to the image will crash some third-party Twitter clients which try to load the image (Tweetbot for example)</li> <li>Visiting a page containing the image will crash Safari's content renderer</li> </ul> <h1 id="affected-versions"><a class="zola-anchor" href="#affected-versions" aria-label="Anchor link for: affected-versions" >#</a > Affected versions</h1> <p>The only devices I had available at the time were an iPad on iOS 7.1, my iPhone on iOS 9.0.2, and my Mac on OS X 10.11.2. All of these devices were vulnerable. It's reasonable to assume that this bug goes back quite far.</p> <table><thead><tr><th></th><th>iOS</th><th>OS X</th></tr></thead><tbody> <tr><td>Minimum tested version</td><td>7.1</td><td>10.11.1</td></tr> <tr><td>Fixed version</td><td>9.3.2</td><td>10.11.5</td></tr> </tbody></table> <h1 id="other-findings"><a class="zola-anchor" href="#other-findings" aria-label="Anchor link for: other-findings" >#</a > Other findings</h1> <p>In exploring this bug I thought it was useful to test out various applications to see how they would handle this type of invalid image. Since the chunks all contain a CRC32 of the data, you cannot modify the image outright and then upload it to almost any service. Twitter and imgur were two hosts I tried and they both would not accept the image because of the invalid CRC32. I wrote a <a rel="external" href="https://gitlab.com/landaire/png-crc-fix">simple Go utility</a> that iterates the chunks and fixes any invalid CRCs.</p> <p>After fixing the chunk both hosts accepted the image just fine. imgur (and likely most other hosts) do not bother to strip unknown chunks so uploading the image to imgur puts those users at risk. Twitter and Facebook on the other hand will re-encode any image as a JPEG which will obviously remove the malicious chunk.</p> <p>I think that this is interesting and really important for privacy-concerned people. Before investigating this bug I had not considered additional chunks <em>not</em> being stripped when uploading an image to services. It makes sense, but it seems like this would be an easy way for vendors to hide additional info about the device which took the image outside of the EXIF-related chunks and have them survive re-encoding.</p> <h1 id="timeline"><a class="zola-anchor" href="#timeline" aria-label="Anchor link for: timeline" >#</a > Timeline</h1> <ul> <li>Dec 16, 2015: Reported vulnerability to vendor</li> <li>Dec 17, 2015: Vendor acknowledged vulnerability</li> <li>Dec 27, 2015: Posted pic to Twitter to see what would happen</li> <li>Dec 27, 2015: Vendor said the bug was undergoing triage</li> <li>Mar 21, 2016 (91 days since disclosure): iOS 9.3 released and bug still not fixed, status update requested</li> <li>Mar 22, 2016: Vendor notified me that a fix is "in progress"</li> <li>April 22, 2016: Public disclosure</li> <li>May 16, 2016: iOS 9.3.2 and macOS 10.11.5 were released, giving this vulnerability CVE-2016-1811</li> </ul> <p>If you'd like to have a sample image, you can find it <a href="/img/crasher.png">here</a>. <strong>NOTE</strong> if you are using Safari, your browser's renderer process will crash. If you aren't, you will see a screenshot of a Kanye tweet.</p> <p><strong>tl;dr</strong> a custom PNG chunk with a 0-length data field will trigger null pointer dereference causing the application to crash similar to the <a rel="external" href="http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/">CoreText</a> crash from 2013.</p> <p>shoutouts to my boys ed snowden and james comey</p> 2016-01-25T22:05:08-08:00 2016-01-25T22:05:08-08:00 Unknown https://landaire.net/phpbb-3-1-7-security-update/ <p>The phpBB team released phpBB version <a rel="external" href="https://www.phpbb.com/support/documents.php?mode=changelog#v317">3.1.7-PL1</a> on Jan 11, 2016 which fixed a CSRF issue I found in the admin control panel BBCode creation form. Since BBCode is basically whitelisted HTML created by admins this CSRF vulnerability could allow an attacker to inject arbitrary HTML or JavaScript into forum posts.</p> <p>This was my first time looking at phpBB and I was very happy with actually being able to find something with significant impact within a few hours.</p> <h2 id="finding-a-target"><a class="zola-anchor" href="#finding-a-target" aria-label="Anchor link for: finding-a-target" >#</a > Finding a target</h2> <p>A good starting point for understanding the features and flow of phpBB controllers would be to look at something users would have access to with complex operations going on. <code>./phpbb/phpBB/posting.php</code> is a decent starting point since this is the page users hit when creating topics/posts. This controller should have permission checks, record creation, form submission, and maybe some HTML escaping. At the top of the file we can see something interesting:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="php"><span class="giallo-l"><span style="color: #464B5D;font-style: italic;">// Grab only parameters needed here</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>post_id</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> request_var</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">p</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>topic_id</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> request_var</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">t</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>forum_id</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> request_var</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">f</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>draft_id</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> request_var</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">d</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>lastclick</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> request_var</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">lastclick</span><span style="color: #89DDFF;">&#39;,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">);</span></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>preview</span><span style="color: #89DDFF;"> = (</span><span style="color: #82AAFF;">isset</span><span style="color: #89DDFF;">($</span><span>_POST</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">preview</span><span style="color: #89DDFF;">&#39;])) ? true : false;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>save</span><span style="color: #89DDFF;"> = (</span><span style="color: #82AAFF;">isset</span><span style="color: #89DDFF;">($</span><span>_POST</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">save</span><span style="color: #89DDFF;">&#39;])) ? true : false;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>load</span><span style="color: #89DDFF;"> = (</span><span style="color: #82AAFF;">isset</span><span style="color: #89DDFF;">($</span><span>_POST</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">load</span><span style="color: #89DDFF;">&#39;])) ? true : false;</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>confirm</span><span style="color: #89DDFF;"> = $</span><span>request</span><span style="color: #89DDFF;">-&gt;</span><span style="color: #82AAFF;">is_set_post</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">confirm</span><span style="color: #89DDFF;">&#39;);</span></span> <span class="giallo-l"><span style="color: #89DDFF;">$</span><span>cancel</span><span style="color: #89DDFF;"> = (</span><span style="color: #82AAFF;">isset</span><span style="color: #89DDFF;">($</span><span>_POST</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">cancel</span><span style="color: #89DDFF;">&#39;]) &amp;&amp; !</span><span style="color: #82AAFF;">isset</span><span style="color: #89DDFF;">($</span><span>_POST</span><span style="color: #89DDFF;">[&#39;</span><span style="color: #C3E88D;">save</span><span style="color: #89DDFF;">&#39;])) ? true : false;</span></span></code></pre> <p>Mostly all of the request variables used in this controller are defined a the top of the file, some of which are taken from this weird <code>request_var()</code> function which IntelliJ tells me is deprecated. This function is basically a wrapper for <code>\phpbb\request\request_interface::variable()</code>. Looking at <code>\phpbb\request\request::variable()</code> it can be seen that this method returns the requested var from some associative array. The array is the concatenation of the <code>$_POST</code> and <code>$_GET</code> global variables. For those of you not familiar with PHP these are globals which contain the POST request and query vars (respectively). All of these variables are also <code>trim()</code>'d and type casted to match the type of whatever the default value is.</p> <p>This is a key bit of information: if we can find some place in a form where a POST request is made we should also be able to make the request with a GET. Maybe we should start looking for CSRF bugs?</p> <h2 id="how-csrf-tokens-work-in-phpbb"><a class="zola-anchor" href="#how-csrf-tokens-work-in-phpbb" aria-label="Anchor link for: how-csrf-tokens-work-in-phpbb" >#</a > How CSRF tokens work in phpBB</h2> <p>Doing a simple find in file for "form" in IDEA I came across this line:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="php"><span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">if</span><span style="color: #89DDFF;"> ($</span><span>submit</span><span style="color: #89DDFF;"> &amp;&amp;</span><span style="color: #82AAFF;"> check_form_key</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">posting</span><span style="color: #89DDFF;">&#39;))</span></span></code></pre> <p>Looking into the <code>check_form_key()</code> function it's clear that this is the function to check the CSRF token (using <code>===</code> mind you)... but it's done manually. And further <em>down</em> the file:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="php"><span class="giallo-l"><span style="color: #82AAFF;">add_form_key</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">posting</span><span style="color: #89DDFF;">&#39;);</span></span></code></pre> <p>So adding and checking the CSRF token is done manually. This smells like something that can lead to errors!</p> <h2 id="finding-csrf-bugs"><a class="zola-anchor" href="#finding-csrf-bugs" aria-label="Anchor link for: finding-csrf-bugs" >#</a > Finding CSRF bugs!</h2> <p>Let's search the project for <code>add_form_key()</code> and <code>check_form_key()</code>. What we're looking for is files that show up in the result for <code>add_form_key()</code> but not for <code>check_form_key()</code>.</p> <p>The following image is the result of the search for <code>add_form_key()</code> and <code>check_form_key()</code> respectively, with the admin control panel includes folder expanded:</p> <p><img src="/img/csrf_diff.png" alt="add_form_key(left) vs check_form_key(right)" /></p> <p>The greater number of <code>check_form_key()</code> calls to <code>add_form_key()</code> calls isn't really concerning since you can check the form key as many times as you'd like. What we're looking for is places where a form key is added but not checked. We can see there are two places where calls to <code>check_form_key()</code> are definitely missing:</p> <ul> <li><code>acp_bbcode.php</code></li> <li><code>acp_extensions.php</code></li> </ul> <p><code>acp_extensions.php</code> isn't too interesting since that just lets admins toggle showing unstable versions when checking extensions for updates, so the worse a CSRF vuln here does is allow an attacker to make an admin think their extensions are outdated.</p> <p>The check in <code>acp_bbcode.php</code> is of interest though since, although the form is submitted via POST, the <code>request_var()</code> method is used to retrieve all form variables. We should be able to create BBCode over GET with a CSRF token omitted!</p> <p>Here's a demonstration of this vulnerability:</p> <p>{{&lt; youtube 7NsUoE32cyQ &gt;}}</p> <h2 id="notes"><a class="zola-anchor" href="#notes" aria-label="Anchor link for: notes" >#</a > Notes</h2> <p>Although this vulnerability can lead to XSS, it's really not practical. By default phpBB enforces re-authentication when admins go to the ACP and gives the admin a different admin CP session ID. The SID also needs to be present in both the cookie and query string by default.</p> <p>In theory a timing attack is possible since session IDs are checked with the equals operator (<code>$this-&gt;session_id !== $session_id</code>) but this is also not very practical since sessions are tied to IP, browser, and some other information but most importantly doing it over the network isn't exactly easy.</p> <p>The only way I see this being practical is if there's also an XSS vulnerability on some admin page that would allow you to inject a script to get the admin SID from <code>document.location</code> then perform the exploit.</p> <h1 id="timeline"><a class="zola-anchor" href="#timeline" aria-label="Anchor link for: timeline" >#</a > Timeline</h1> <ul> <li>July 11, 2015: Reported vulnerability</li> <li>August 4, 2015: Received response from two different project members requesting more information</li> <li>December 23, 2015: Followed-up with project members (never received notification of response and I sort of forgot about this bug)</li> <li>December 23, 2015: Vendor confirmed bug</li> <li>January 11, 2016: Fix released</li> </ul> 2016-01-24T15:48:01-08:00 2016-01-24T15:48:01-08:00 Unknown https://landaire.net/cve-2016-1902/ <h2 id="overview"><a class="zola-anchor" href="#overview" aria-label="Anchor link for: overview" >#</a > Overview</h2> <p>Recently the Symfony project published a <a rel="external" href="http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails">security advisory</a> to the <a rel="external" href="https://github.com/symfony/symfony/blob/v2.7.8/src/Symfony/Component/Security/Core/Util/SecureRandom.php">SecureRandom</a> class in their Security component that affects Symfony versions 2.3.0-2.3.36, 2.6.0-2.6.12, 2.7.0-2.7.8. On most sane systems there is no problem, but in the event that something goes wrong the <code>SecureRandom::nextBytes()</code> falls back to a custom random number generator which creates insecure random numbers.</p> <h2 id="details"><a class="zola-anchor" href="#details" aria-label="Anchor link for: details" >#</a > Details</h2> <p>The <code>nextBytes()</code> function has three methods of RNG:</p> <ol> <li>If the PHP 7 <a rel="external" href="http://php.net/manual/en/function.random-bytes.php"><code>random_bytes()</code></a> function exists, that is used.</li> <li>If OpenSSL is installed on the system then <a rel="external" href="https://github.com/symfony/symfony/blob/ad264021e44a5aaa132f16aef69f92e56795683e/src/Symfony/Component/Security/Core/Util/SecureRandom.php#L66-L76"><code>openssl_random_pseudo_bytes()</code></a> is used and the result is checked to ensure RNG succeeded.</li> <li>If all of the above fail, a custom scheme is used. This is where the problem lies.</li> </ol> <p>The custom scheme can take in a seed file which doesn't necessarily need to exist. If the file does exist then the inital RNG seed is read from that file, otherwise the seed is initialized with <code>uniqid(mt_rand(), true)</code>.</p> <p><a rel="external" href="https://github.com/symfony/symfony/blob/ad264021e44a5aaa132f16aef69f92e56795683e/src/Symfony/Component/Security/Core/Util/SecureRandom.php#L92-L100">Here is where the random number is generated</a>:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="php"><span class="giallo-l"><span style="color: #89DDFF;">$</span><span>bytes</span><span style="color: #89DDFF;"> = &#39;&#39;;</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">while</span><span style="color: #89DDFF;"> (</span><span style="color: #82AAFF;">strlen</span><span style="color: #89DDFF;">($</span><span>bytes</span><span style="color: #89DDFF;">) &lt; $</span><span>nbBytes</span><span style="color: #89DDFF;">) {</span></span> <span class="giallo-l"><span style="color: #C792EA;"> static</span><span style="color: #89DDFF;"> $</span><span>incr</span><span style="color: #89DDFF;"> =</span><span style="color: #F78C6C;"> 1</span><span style="color: #89DDFF;">;</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> $</span><span>bytes</span><span style="color: #89DDFF;"> .=</span><span style="color: #82AAFF;"> hash</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">sha512</span><span style="color: #89DDFF;">&#39;, $</span><span>incr</span><span style="color: #89DDFF;">++.$this-&gt;</span><span>seed</span><span style="color: #89DDFF;">.</span><span style="color: #82AAFF;">uniqid</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">mt_rand</span><span style="color: #89DDFF;">(), true).$</span><span>nbBytes</span><span style="color: #89DDFF;">, true);</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> $this-&gt;</span><span>seed</span><span style="color: #89DDFF;"> =</span><span style="color: #82AAFF;"> base64_encode</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">hash</span><span style="color: #89DDFF;">(&#39;</span><span style="color: #C3E88D;">sha512</span><span style="color: #89DDFF;">&#39;, $this-&gt;</span><span>seed</span><span style="color: #89DDFF;">.$</span><span>bytes</span><span style="color: #89DDFF;">.$</span><span>nbBytes</span><span style="color: #89DDFF;">, true));</span></span> <span class="giallo-l"><span style="color: #89DDFF;"> $this-&gt;</span><span style="color: #82AAFF;">updateSeed</span><span style="color: #89DDFF;">();</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span> <span class="giallo-l"></span> <span class="giallo-l"></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;">return</span><span style="color: #82AAFF;"> substr</span><span style="color: #89DDFF;">($</span><span>bytes</span><span style="color: #89DDFF;">,</span><span style="color: #F78C6C;"> 0</span><span style="color: #89DDFF;">, $</span><span>nbBytes</span><span style="color: #89DDFF;">);</span></span></code></pre> <p>Upon inspection we can see the bytes that are eventually returned to the user are generated from a SHA-512 hash. This is probably done to make the output look uniform. A red flag is raised that maybe whatever is being fed to <code>hash()</code> <em>isn't</em> uniformly random. What's actually being fed to the core of this algorithm is the concatenation of some counter, seed, and a <code>uniqid()</code>. Let's take a look at each of these individually:</p> <ul> <li> <p>The counter starts out at 1 and is declared static. Since PHP is stateless, the counter is predictable if you know how many times the function has been called for your request.</p> </li> <li> <p><code>mt_rand()</code> is used as the <code>$prefix</code> to <code>uniqid()</code>. The PHP documentation for both of these functions explicitly state that they should not be used for cryptographic purposes. <code>uniqid()</code> inparticular isn't meant to even be random -- just unique. At its core it's just <a rel="external" href="https://github.com/php/php-src/blob/71c19800258ee3a9548af9a5e64ab0a62d1b1d8e/ext/standard/uniqid.c#L79-L83">a concatenation of prefix, seconds, microseconds, and <code>php_combined_lgc()</code></a> (the latter explained <a rel="external" href="http://seclists.org/fulldisclosure/2010/Mar/519">here</a>).</p> </li> <li> <p>The seed <em>can</em> be something we don't know <em>if the file already exists</em>. There are two cases where we can predict the seed though:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="plain"><span class="giallo-l"><span>1. If the user provides a path that doesn&#39;t exist</span></span> <span class="giallo-l"><span>2. If the user provides a path to a file that the application does not</span></span></code></pre> <p>have permission to read or write.</p> </li> </ul> <p><em>(Sidenote: Hugo's markdown generator doesn't support ordered vs unordered lists... what?)</em></p> <p>Point #2 is kind of interesting here because both failure to read <em>or</em> write the file fail silently and because PHP isn't exactly a type-safe language, nothing explodes.</p> <p><a rel="external" href="https://github.com/symfony/symfony/blob/ad264021e44a5aaa132f16aef69f92e56795683e/src/Symfony/Component/Security/Core/Util/SecureRandom.php#L103-L106"><code>readSeed()</code></a>:</p> <pre class="giallo" style="color: #BABED8; background-color: #0F111A;"><code data-lang="php"><span class="giallo-l"><span style="color: #C792EA;">private function</span><span style="color: #82AAFF;"> readSeed</span><span style="color: #89DDFF;">()</span></span> <span class="giallo-l"><span style="color: #89DDFF;">{</span></span> <span class="giallo-l"><span style="color: #89DDFF;font-style: italic;"> return</span><span style="color: #82AAFF;"> json_decode</span><span style="color: #89DDFF;">(</span><span style="color: #82AAFF;">file_get_contents</span><span style="color: #89DDFF;">($this-&gt;</span><span>seedFile</span><span style="color: #89DDFF;">));</span></span> <span class="giallo-l"><span style="color: #89DDFF;">}</span></span></code></pre> <p>If <code>file_get_contents()</code> fails it returns <code>FALSE</code> and is passed to <code>json_decode()</code>. If <code>json_decode()</code> fails, it simply returns NULL and you have to manually check <code>json_last_error()</code> to see why it failed. So if the file can't be read, your seed is <code>null</code>.</p> <p><a rel="external" href="https://github.com/symfony/symfony/blob/ad264021e44a5aaa132f16aef69f92e56795683e/src/Symfony/Component/Security/Core/Util/SecureRandom.php#L108-L115"><code>updateSeed()</code></a> fails very similarly. The result of <code>file_put_contents()</code> is never checked and will fail silently.</p> <h2 id="tl-dr"><a class="zola-anchor" href="#tl-dr" aria-label="Anchor link for: tl-dr" >#</a > tl;dr</h2> <p><code>SecureRandom::nextBytes()</code> will generate insecure random numbers if you're not using PHP 7, don't have random_compat, and OpenSSL fails for some reason.</p> <p>Even if this isn't a very practical or exploitable bug, it shows how a weakness at the core of a framework can go indiscovered for so long (this one almost 3 years!). I also mainly did this writeup to note that this is my first of hopefully many more CVEs.</p> <h2 id="timeline"><a class="zola-anchor" href="#timeline" aria-label="Anchor link for: timeline" >#</a > Timeline:</h2> <ul> <li>Dec 14, 2015: Vulnerability identified and reported</li> <li>Dec 30, 2015: No response, requested follow-up</li> <li>Jan 14, 2016: Patch released for 2.3, 2.6, 2.7</li> <li>Jan 18, 2016: Security advisory published</li> </ul>