Reverse Analysis Practice 2

1. Reverse analysis of game windowing function

1. Trigger condition: add -window

to the game properties

2. The debugger attaches the game to run, and starts to analyze
   Guess: The game implements windowing and must determine whether there is **-window** in the command line parameters, and obtain this parameterInformation can be obtained in two ways

   (1) WindowApi:GetCommandLineA(2) PEB structure

   Evidence: Set a breakpoint at the GetCommandLineA function and run the game.
   

3. Guess: According to msdn, the function of this function is Retrieves the command-line string for the current process and The return value is a pointer to the command-line string for the current process..The next step should be to cut the string, then compare, and the character constants are placed in the constant area, we can locate the constant area by string searchstrong>where is window

   used

4. Reverse analysis

    task1: Get [the game's command line characters through Win32APIString ] to [EAX]task2: [exe absolute path in the split string], [parameter ] to [stack] to [register]task3: Use while and if statements to determine whether the command line isNot in debug mode, ebp=1 means not in debug mode

   

   Continue to execute backwards and find that we have come to a familiar place, yes!This is where we last analyzed screen resolution.

   Guess: After observing the code, guess 0 means windowed, 1 means full screen mode
   Empirical evidence: Re-run the game without -winow, and set a breakpoint at this place
   

   Following:
   
   Make patch, copy to executable:
   

   new question: windowing function is implemented, why does the screen resolution 1920×1080 patch fail

   Guess: screen resolution handling is different in full screen mode and window mode

   Reverse analysis: based on the analysis of the previous resolution, analyze again on this basis

   
   

Evidence: By analyzing the data flow of local variables, we only need to modify the source of the data

6. Summary:

   The breakthrough to locate where you want to analyze:(1) WinddowAPI: Which WindowAPI will be called in this place,(2) String lookup: is there any string used in this place?