No introductory explanations, let's just get straight to the point. xD (Try CE tutorials provided by CE itself if you don't have any experience to have an idea on the basics of CE.)
To start off, as always, just scan for "a value" you're looking for, then you will find an address of memory that holds that "value".
In my case, I'm reversing MAME v0.201 with Metal Slug 3 (NGM-2560) [mslug3] (Universal NeoGeo BIOS 3.3) ROM loaded.
I raked up "coins value", which is a value that counts the number of coins put (credits) in the game.
Right click on that record in CE, and "Find out what writes to this address" (I use this as a verb), which gives me a pointer.
0ED49650 holds 11EA1090 (base)
D20 (offset)
I found that the value that 0ED49650 holds is different every time the game is re-loaded, hence it's somewhat obvious that 11EA1090 is determined at runtime only. (In other words, 11EA1090 is useless.)
Thus,
[[0ED49650] + D20] = coins value
Then again, using "Find out what writes to this address" feature of CE on 0ED49650 I get,
0ED49610 + 40 = 0ED49650
0ED49610 (base)
40 (offset)
because it shows...
03D3B2CA - 66 0F1F 44 00 00 - nop [rax+rax+00]
03D3B2D0 - 48 8B 49 40 - mov rcx,[rcx+40]
03D3B2D4 - 48 89 73 40 - mov [rbx+40],rsi <<
03D3B2D8 - 48 85 C9 - test rcx,rcx
03D3B2DB - 74 0A - je mame64.exe+393B2E7
RBX=000000000ED49610
Therefore,
[[0ED49610 + 40] + D20] = coins value
Where did this program (process) get 0ED49610 (base) then?
0ED49610 is a mother of 0ED49650 and you know that it's a "mother" because (0ED49610 + 40 = 0ED49650).
Scan for 0ED49610 stored as value.
With "Find out what writes to this address" I discovered...
That 0ED49610 is stored in - 1. 0ED494F0+80=0ED49570
That 0ED49610 is stored in - 2. 0ED49690+48=0ED496D8
That 0ED49610 is stored in - 3. 0ED4ED68+D8=0ED4EE40
Another value scans...
0ED494F0 cannot be found anywhere in memory
0ED49690 are easily found in static memory (see below)
0ED4ED68 cannot be found anywhere in memory
In static memory,
mame64.exe+D97AE08 holds 0ED49690
mame64.exe+E39AAB0 holds 0ED49690
The reasoning behind that can be described as follows:
mame64.exe+D97AE08 = 0DD7AE08
mame64.exe+E39AAB0 = 0E79AAB0
[0DD7AE08] = 0ED49690
[0E79AAB0] = 0ED49690
[mame64.exe+D97AE08] = 0ED49690
[mame64.exe+E39AAB0] = 0ED49690
and 0ED49690 is a pointer so,
[[mame64.exe+D97AE08] + 48] = 0ED496D8
[[mame64.exe+E39AAB0] + 48] = 0ED496D8
0ED496D8 of [mame64.exe+D97AE08] or [mame64.exe+E39AAB0] holds ED49610 we're searching for.
My conclusion here is,
mame64.exe+D97AE08 = 0DD7AE08 (static address)
[0DD7AE08] = 0ED49690 (ptr to base)
[[0ED49690] + 48] = 0ED496D8 (ptr to base)
[[0ED496D8] + 40] = 0ED49650 (ptr to base)
[[0ED49650] + D20] = coins value
So I figured out that my "coins value" can be obtained using this ptr to a ptr to a ptr to a ptr.
[[[[mame64.exe+D97AE08] + 48] + 40] + D20] = coins value
(...Or a ptr to a ptr to a ptr. Or a ptr to a ptr to a ptr to a ptr to a ptr. That I'm not really sure; I can't even count that many numbers. xD)
Coconut Rum
Sept. 27th, 2018
'Methods' 카테고리의 다른 글
| 깃헙에 어두운 테마 적용하기 - GitHub Dark (0) | 2018.11.12 |
|---|---|
| Go 언어로 어셈블리 프로그래밍하기 (0) | 2018.10.21 |
| 한글을 배운 윈도우 계산기 (Windows 10 UWP 앱 리버싱) (2) | 2018.10.09 |
| Go 언어로 메모리 조작과 API 후킹을 구현하기 (윈도우즈 앱 리버스 엔지니어링) (2) | 2018.10.09 |
| 리버스 엔지니어링 분석 도구 추천 (1) | 2018.10.07 |
| Go 언어로 작성한 웹서버를 GCP의 App Engine으로 배포하기 (구글 클라우드) (0) | 2018.09.14 |
| 뉴비를 위한 Go 쉽게 제대로 설치하는 법 (2) | 2018.09.14 |
| 별로 좋지도 않은 vim을 왜 추천하는지 모르겠다 (18) | 2018.09.09 |
| 티스토리 블로그에 보안 연결(HTTPS) 적용하는 쉬운 방법 (3) | 2018.09.01 |
| Makefile 문법 요약 (3) | 2018.08.25 |
RSS Feed