RCE Endeavors 😅

November 18, 2021

Reverse Engineering REST APIs: Basics (3/12)

Filed under: Game Hacking,Programming,Reverse Engineering — admin @ 9:54 AM

Table of Contents:

This next series of posts will describe how to reverse engineer a client application in order to find out how it communicates with a server. Specifically, what we will find throughout the rest of the series, is how the Age of Empires IV game builds requests and decrypts responses. This will be done in multiple steps: first, we will do some basic analysis on the application with a debugger attached, then we will begin to look at the networking functions that the game uses in order to perform client-server communication. From there, we will look deeper into the game logic and reverse engineer the internal functions that build and decode messages. Lastly, we will wrap by up hooking these internal functions in order to see the decrypted content, which will grant us full control over what is being sent and received.

To do this is going to require a set of tools and libraries. Below is what will be used throughout the rest of this series:

  • Tool: x64dbg – A great debugger for x86/x64
  • Tool: Visual Studio 2022 – This will be used to develop and debug the API hook DLL
  • Library: Detours – We will use this library to perform the API hooking
  • Library [optional]: Catch2 – Used for writing unit tests

The tools were downloaded as is, and the libraries were downloaded and installed via vcpkg. The source is available for all of the code that will be written and discussed in this series.

November 17, 2021

Reverse Engineering REST APIs: The Easy Way (2/12)

Filed under: Game Hacking,Programming,Reverse Engineering — admin @ 4:33 PM

Table of Contents:

This post starts off the series by showing the easy way to reverse engineer REST APIs: by simply looking at the request and response flow. To start, we will launch the game and use Wireshark to look at the traffic going over the wire. In order to filter out the traffic, we need to find out what IP(s) the game is connected to. After launching the game and running netstat, we get the following output:

netstat -n -p TCP -b

...
 [RelicCardinal.exe]
  TCP    192.168.0.153:52322    52.186.164.33:443      ESTABLISHED
 [RelicCardinal.exe]
  TCP    192.168.0.153:52323    52.186.164.33:443      ESTABLISHED
 [RelicCardinal.exe]
  TCP    192.168.0.153:52324    23.200.0.183:443       ESTABLISHED
 [RelicCardinal.exe]
  TCP    192.168.0.153:52329    52.165.184.209:443     ESTABLISHED
 [RelicCardinal.exe]
  TCP    192.168.0.153:58611    52.226.139.185:443     ESTABLISHED
...

The game is connecting on port 443, which means that communication is happening over TLS. Looking at Wireshark, there is no useful data to be seen since everything is encrypted. At best you can extract the hostname information from the server name indication extension of TLS, though useful information like query strings and content bodies will still remain encrypted.

This is a minor inconvenience, but still an inconvenience nonetheless. To get at the decrypted data requires a few more steps: first, we need to set up a proxy that intercepts traffic over HTTPS, then we need to run the game through this proxy.

Setting up a HTTPS proxy is pretty straightforward: mitmproxy can be used for this. After installing the tool, navigate to the Windows Proxy Settings and add in a proxy running on localhost:8080

Once this is done, you can launch mitmweb.exe from the mitmproxy installation directory. After launching mitmweb.exe, a new browser tab should pop up showing intercepted network flows. This will likely be initially empty.

In order to intercept traffic, mitmproxy needs to install a root certificate. Once mitmweb.exe is running, navigate to mitm.it. If everything is working as expected, there should be options to install the mitmproxy certificate for various operating systems and devices.

After the certificate is installed, the proxy should be fully set up. You can restart mitmweb.exe and observe some traffic being intercepted.

At this point, the proxy is verified as working. You can try to launch the game and begin inspecting traffic. However, if you do that, you will notice that no traffic is coming through. The game will appear to be working fine: it will log in to the network, display messages, show available lobbies, and function just as before. This means that the game’s traffic is not being routed through the proxy that we set up.

This might seem like a big roadblock, but fear not. There are multiple tools that configure applications to run through a proxy. For this I used Proxifier, which is paid software but provides a free 30-day trial. After installing and launching Proxifier, configure the HTTPS proxy by navigating to Profile -> Proxy Servers…

In this prompt, fill in the address of the HTTPS proxy that was set up with mitmproxy.

Once this is done, traffic of every application will be routed through the mitmproxy. To verify, you can launch the game again and look in the mitmproxy tab. You should now see the various APIs that get called from within the game in their unencrypted form.

From here on, you can begin interacting with the game and seeing what messages are sent to the server as a result of your actions. Doing so will allow you to discover more APIs, and you can begin to get a better picture of how the client-server interaction drives what you see in the game. Once you are done monitoring the traffic, you can shut down Proxifier, mitmproxy, and disable the manual proxy settings in Windows.

This concludes the easy way to reverse engineer REST APIs: through the combination of a couple of tools we are able to quickly see the requests and responses that are being sent, even if TLS is being used. The rest of this series will focus on reverse engineering the game itself to get the unencrypted request and response payloads.

Reverse Engineering REST APIs: Introduction (1/12)

Filed under: Game Hacking,Programming,Reverse Engineering — admin @ 4:32 PM

This series of posts will focus on reverse engineering REST APIs. The APIs that will be discussed are those used by the Age of Empires IV lobby and matchmaking system. These are an internal set of APIs that the game uses in order to retrieve, display, and update information about your account. This includes APIs for your profile, completed challenges, items, news, chat messages, available game lobbies, and many more.

These posts will be broken down into an easy way and a hard, but fun, way to get the same results. The easy way is covered in the next post and shows how to configure third-party tools to intercept and display the data. The rest of the series will focus on the more difficult way of reverse engineering the actual game in order to retrieve the request and response content.

A link to each post is provided below:

March 11, 2017

Game Hacking (3/3): Putting Everything Together

Filed under: Game Hacking,Programming,Reverse Engineering — admin @ 1:54 PM

The last two posts discussed how to develop an Age of Mythology map hack. This was done by finding and reverse engineering the parts of the game responsible for toggling the map state (black overlay, fog of war, full reveal) and invoking those functions through a DLL that is injected into the game process. This short post will complete the series by providing the source code for an injector that will inject the newly developed hack DLL into the Age of Mythology process. The hack will work in multiplayer, and in the original game as well as the extended edition.

The code can be found here and is generally pretty self-explanatory. The map hack DLL exports a KeyboardProc callback, which handles the logic of toggling the map state depending on what keys the user enters (7, 8, 9, 0 keys). The injector installs a keyboard hook on the game process, which effectively injects the hack DLL into the game process and makes the KeyboardProc callback active. At this point, all keystrokes going to the game will be intercepted and checked against the four special toggle keys. If a toggle key is hit, then the corresponding function to set the map state will be invoked.

Missed the earlier posts?

Game Hacking (1/3): The Hard Way

Game Hacking (2/3): The Easy Way

Thanks for reading and follow on Twitter for more updates.

February 25, 2017

Game Hacking (2/3): The Easy Way

Filed under: Game Hacking,Programming,Reverse Engineering — admin @ 1:24 PM

The previous post detailed how to develop a map hack by taking advantage of existing functionality in the game. The technique relied on being able to toggle the map to a hidden/revealed state, and then using this functionality to methodically step through the assembly code. This eventually led to logic that was specific to hiding and revealing the map, where it was then possible to write a hack that invokes this functionality at will. The technique presented in this post is much easier than that, and is only made possible due to useful strings that were found in the binary.

The tool used in this post will be x64dbg, which is a really great debugger and disassembler, and what I consider to be the successor to the now-ancient OllyDbg. Unfortunately, it won’t really be used too much in this post since there won’t be much need of live analysis (this post is titled “the easy way” after all). Assembly snippets will be pasted from IDA Pro, since I find their copy+paste format to be the most readable.

Starting off by attaching to the process and doing a string dump (Right click -> Search for -> Current Module -> String references) for the main executable yielded 25817 strings for me — plenty to search through.

Filtering on the string “map” yields a much more manageable set. Looking through, there are a few strings that seem like they might lead somewhere interesting:

"trSetFogAndBlackmap(<true/false> <true/false>): turn fog and black map on/off."
"trRevealEntireMap -- shows whole map, similar to how revealed mode works"
"trPlayerResetBlackMap(: Resets the black map for a given HUMAN player."
"map visibility"
"blackmap([integerState]) : toggles or sets unexplored black map rendering."

The two most promising places seem to be the ones highlighted in orange. The strings give a clear description of what the function does and even provides parameter arguments. The “trX” functions appear to be related to the triggers system that is available in the game and allows map makers to add effects and conditions to their custom maps. Looking at references to the first string goes to the following:

...
.text:008B2B76 loc_8B2B76:                             ; CODE XREF: sub_8AE4A0+46CDj
.text:008B2B76                 mov     ecx, esi
.text:008B2B78                 call    sub_59C270
.text:008B2B7D                 push    1
.text:008B2B7F                 push    offset loc_8AAEE0
.text:008B2B84                 push    offset aTrsetfogandbla ; "trSetFogAndBlackmap"
.text:008B2B89                 mov     ecx, esi
.text:008B2B8B                 call    sub_59BE80
.text:008B2B90                 test    al, al
.text:008B2B92                 jnz     short loc_8B2BAE
.text:008B2B94                 push    offset aTrsetfogandbla ; "trSetFogAndBlackmap"
.text:008B2B99                 push    offset aSyscallConfigE ; "Syscall config error - Unable to add th"...
.text:008B2B9E                 push    esi             ; int
.text:008B2B9F                 call    sub_59DBC0
...

The code here begins by passing in the string, a pointer to a function, and a constant (1) as arguments to another function (teal). The return value of this call is checked for 0, which is an error condition (blue). From looking at the what is happening in a disassembler, this pattern is found throughout everywhere. This code, and all of the surrounding code, is attempting to register triggers and is providing the trigger name, a callback to where the trigger code lives, and a yet unknown constant of 1. Given that, the real place to look would be in the callback.

Following through to the callback leads to the following section of code:

.text:008AAEE0 loc_8AAEE0:                             ; DATA XREF: sub_8AE4A0+46DFo
.text:008AAEE0                 mov     eax, dword_A9D244
.text:008AAEE5                 mov     ecx, [eax+140h]
.text:008AAEEB                 test    ecx, ecx
.text:008AAEED                 jz      short locret_8AAF13
.text:008AAEEF                 mov     edx, [esp+4]
.text:008AAEF3                 push    0
.text:008AAEF5                 push    edx
.text:008AAEF6                 call    sub_5316B0
.text:008AAEFB                 mov     eax, [esp+8]
.text:008AAEFF                 mov     ecx, dword_A9D244
.text:008AAF05                 mov     ecx, [ecx+140h]
.text:008AAF0B                 push    0
.text:008AAF0D                 push    eax
.text:008AAF0E                 call    sub_5316D0
.text:008AAF13
.text:008AAF13 locret_8AAF13:                          ; CODE XREF: .text:008AAEEDj
.text:008AAF13                 retn

The two calls here (green) should be familiar if you have read the first part of this series recently. These are the two functions that were eventually found to control revealing and hiding the map to the player. Each function takes in a “this” pointer, which we can see here is loaded from a constant address and is likely the class for the main player, along with a true/false value which describes what should happen to the map. There’s also a third constant parameter of 0 here, which is different from the constant parameter of 1 at the other call site from the previous post, possibly indicating whether the map state is being changed via player interaction or a trigger.

Knowing this, the hack from the previous post can be made a bit better. With the old hack, there was an issue of having to provide a fake “this” pointer which needed to have a field written into, and there was only a true/false toggle option. Going from the documentation provided by the string dump, this function takes in two booleans — presumably to control the black overlap and the fog of war which obscures areas that the player has already explored but does not have vision of anymore.

The new (and still hacky) code is below:

#include <Windows.h>
 
using pToggleMapFnc = void (__cdecl *)(bool bEnableBlackOverlay, bool bEnableFogOfWar);
 
int APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
    switch (dwReason)
    {
    case DLL_PROCESS_ATTACH:
    {
        (void)DisableThreadLibraryCalls(hModule);
 
        pToggleMapFnc ToggleMap = (pToggleMapFnc)0x008AAEE0;
 
        while (!GetAsyncKeyState('0'))
        {
            if (GetAsyncKeyState('6'))
            {
                ToggleMap(true,  true);
            }
            else if (GetAsyncKeyState('7'))
            {
                ToggleMap(true, false);
            }
            else if (GetAsyncKeyState('8'))
            {
                ToggleMap(false, true);
            }
            else if (GetAsyncKeyState('9'))
            {
                ToggleMap(false, false);
            }
 
            Sleep(10);
        }
 
        break;
    }
 
    case DLL_PROCESS_DETACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
        break;
    }
 
    return TRUE;
}

Calling the function with the various parameter combinations reveals the following behavior:
True/True – Black map overlay with fog of war
True/False – No black map overlay, fog of war is still present. Features are missing from the map.
False/True – Black map overlay without fog of war. Areas that were explored will always have line of sight
False/False – No black map overlay, no fog of war. Everything is visible.

Screenshots of the mini-map is shown for these four states below:

The hack becomes a bit cleaner since now it is just making a direct call to a function and doesn’t require passing anything unknown. Hopefully it is obvious why this is considered the “easy way” versus the previous post, which required a large amount of debugging and tracing.

The next, and last, part of this series will cover how to clean this hack up a bit more and make it more professional. Additionally, it will cover what is involved in porting this hack to the newer Extended Edition version of the game.

Thanks for reading and follow on Twitter for more updates.

« Newer PostsOlder Posts »

Powered by WordPress