AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Chess edit bin file2/11/2024 ![]() ![]() This function seems perfect – it’s called once after every move. This function will probably work, but there’s another turn function too named toggleturn, so lets try that. This is called a lot, and it seems to return 2 or 0 for white, and 0, 1, or 2 for black. Getting turn info took a bit of shooting in the dark also, but because of symbols it was relatively easy to track down.īp Chess!GameState::GetTurn +3 "r eax g" We need a way to only modify that function for white. So for us, we can’t really rely on any hard coded addresses.Īdditionally, even if we solved ASLR, our hard jump strategy will also fail because both white and black call the GetPassiveMoves function. Generating module info table, hang on.īase | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path Looking for non-aslred modules, there are none. What does it mean for us that ASLR is enabled? Any static addresses will likely change from run to run of the chess game. What I really want is just white to be able to move anywhere 2) We can’t just write to this address because of ASLR and also because it’s a read only section of memory. 1) both black and white can move anywhere, so this doesn’t give me an advantage. When we run we can move anywhere with our bishopsĪt this point, even though we can move anywhere, we still have two problems we need to solve. This mona.py action took 0:00:02.172000įlow analysis was incomplete, some code may be missingĠ076d5d6 b8f8d77600 mov eax,offset Chess!Queen::GetCaptureMoves (0076d7f8) (The addresses on your box will certainly be different)Ġ:010> !py mona asm -s "mov eax, 0x0076d7f8#jmp eax" What this does is modify the Chess!Bishop::GetPassiveMoves function and has it immediately jump to Chess!Queen::GetPassiveMoves. I had mona loaded into windbg here, but you can also do this with the metasploit asm shell or nasm. So let’s just replace the first instruction to jump to the other function. Setting a bp here it’s tough to tell what’s going on because it’s hit so frequently, but the functions are really simple, and for the most part they look VERY similar between pawn/rook/knight/king/etc classes There’s this function getpassivemove common to all the classesĠ09bd67f Chess!Knight::GetPassiveMoves = Ġ09bd70a Chess!Bishop::GetPassiveMoves = There is also a board class, so another idea I had was to replace the bishops with queens when the board was setup, but that’s not the route I went. ![]() So how should I beat my dad? He’s not a grandmaster, so maybe if I made bishops move like queens for me that would do the trick. Also, this gives us a big clue that these classes contain some of the logic we can use to determine which piece can move where. Knights have extra moves like canjump, and pawns can move certain places depending on other pieces, so this makes sense. So there seem to be two outliers, knights and pawns. It looks like there’s a Pawn class, a knight class, a bishop class, etc Loading chess.exe into IDA we see quite a few functions right off the bat that look interesting. In the uninformed post they use windbg to look at functions, but I find IDA Pro easier to read. ![]() Recon and Defining what we want to doįollowing the uninformed post, I wondered if chess might contain symbols also, as this would make my life easier. This tutorial will probably not work with anything but Windows 32 bit. ![]() I’ll be using Windows 7 32 bit, and the file is at C:\Program Files\Microsoft Games\Chess\. I wasn’t sure exactly what I wanted to do other than that. With a huge nod to this uninformed post – introduction to reverse engineering win32 applications where they debug minesweeper, I decided to dive into the windows 7 chess game and see if I could give myself a bit of an advantage. ![]()
0 Comments
Read More
Leave a Reply. |