Bad idea: build a captcha library that embeds DOSBox so it can make you beat levels/puzzles from DOS games to continue.
-
Graham Sutherland / Polynomialreplied to Foone🏳️⚧️ last edited by
@foone yeah that's what I'm thinking. either that or they're hotpatching stuff and using VEH or similar to catch and handle the int instructions.
-
Graham Sutherland / Polynomialreplied to Graham Sutherland / Polynomial last edited by
@foone are they passing LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE or LOAD_LIBRARY_AS_IMAGE_RESOURCE to LoadLibraryEx? that'd be a giveaway that they're not directly doing imports and there's some extra gubbins in there for yanking out data and maybe executing code.
-
@foone remember the goat puzzle?
-
@jonn which one?
-
Foone🏳️⚧️replied to Graham Sutherland / Polynomial last edited by
@gsuberland haven't found out yet but i suspect so
-
@foone it seems like you've solved this, but, I have previously dealt with a program using OpenWatcom C that uses their Win16 wrapper and produces an NE executable. Basically it starts up in win16, loads their DPMI handler and a bunch of thunks for 32->WinAPI 16, and then it pulls a 32-bit binary blob (the main program) into memory and executes that. really a nightmare to get Ghidra working on that, I had to locate the blob and extract it and then load it up as a raw 32-bit .bin
-
@foone my notes on making that work, if you find you're in the same situation:
https://github.com/greg-kennedy/DarkSunOnline/wiki/Client-Disassembly -
@foone … but… why?
-
@mmu_man different plugins target different versions. compiling between versions is annoying enough that the easiest way to do it is to just have multiple versions installed
-
@greg ooh, nasty. I'm not sure if that's what's happening here, but good to know
-
obviously the first thing you call GetProcAddress on is "GetProcAddress"
-
you know, just in case the address has changed between compile time and run time
-
oh it's trying to load WinG32.dll
that's a pre-directx windows library for high speed graphics. it was partially written to get Doom running at full speed under windows.
-
hah! it works!
it turns out they installed this pre-win95 graphics library into System32 of my 64bit windows system (well, sysWOW64)
-
okay I'm running in a debugger now, with breakpoints on LoadLibrary/GetProcAddress.
There's no activity while doing stuff that'll trigger the .DAT files (which are DLLs) to load.
-
I wonder if these fuckers just skipped using the windows DLL loader and wrote their own so they could use them on win32?
-
@foone woag i am so here for this
i’ve also been reverse engineering gizmos & gadgets (<https://github.com/delan/reverssg>), so i’m very keen to read about what you find. good luck!
-
oh goody, they're not using the regular CreateFile
they're using _lopen. The 16-bit windows compatibility one!
-
@delan oh, awesome! I'll have to look through what you've found so far.
-
and CreateFile.
they use both. fun!