Sunday, 21 August 2011

Patching utorrent slow ipfilter loading

When utorrent's ipfilter.dat, a file which filters out malicious ips in peer swarms, grows large, utorrent hangs at startup
I noticed this when I tried putting some new lists into the filter

A little reversing uncovers the issue

The ipfilter.dat ip range format looks like this (for ipv4)
1.2.3.4-5.6.7.8,0,test

This includes a start, an end, a priority level, and an optional description

The problem happens after utorrent parses ipfilter.dat, when it attempts to optimize it
It does so by trying to merge all the ip filter ranges together

the function is layed out like this:
sort(ipRanges)
for ipRange in ipRanges:
    if ipRange overlaps with the previous range:
        copy ipRanges[i:] to ipRanges[i-1:]

when there are many overlapping ranges, the copy operation (a memcpy) becomes very slow

obviously, when there are no overlapping ranges, the slow down does not occur

there are many ways to rewrite this, as long as only 1 range is copied every compare, the function will be fast

Patching this makes utorrent start-up fast again

I'm not sure if utorrent 3 has fixed this yet, but for those who are still using v2, here's a patch:
http://www.mediafire.com/?tto3p44mwvn5tfx
Posted by at 0 comments

Tuesday, 21 June 2011

eset crackme 2011 solution

I've promised to post a solution, so here it is

the crackme does some simple checking first

len(name)>=5
len(key)>=0xA

then it loads an elf file from resources, which doesn't have anything linux-specific except for the file format, so the parts of it used runs fine on windows

it calls 2 routines from it

the first routine hashes the username, identified by the genius cryptographist dcoder as cubehash

this hash is then fed into a big macro laden routine

it looks big, however when you look at the individual parts it's not that complicated

inside the big loop:
the first macros reverses the bits of a 64 bit var
the next few calls another macro 32 times, we can simplify it to this

esi=bitset(local_134,63)?5043443f1755df4d:0
ecx=bitset(local_134,62)?5043443f1755df4d:0
ecx:edi^((esi:ebx^(local_138:local_134<<1))<<1) simplifying further, it actually calls one macro twice n=((n>>63)?0x5043443f1755df4d:0)^(n<<1), where n is a 64 bit number

the last few macros reverse the bits of n again

this looks very much like crc, in fact, it is a crc64 with a starting value of:
0x3537000000003735
and a polynomial of:
0xb2fbaae8fc22c20a (this is the bit reversed 0x5043443f1755df4d)
the final value is xored with:
0x6b3e997a6008e054

a constant string and our key is fed into this routine, then compared with the hash

to reverse this, we simply reverse the crc

most of eset's crackmes so far needs a certain crc to be reversed, so you better get used to it if you do more :)
Posted by at 0 comments

Getting firefight to work on win7

Firefight's a game made by chaos works, in 1996

Surprisingly it works on windows 7 with little effort, and without the need to use windows compatibility mode

After a little debugging, the reason it doesn't run on windows 7 (both LOADER.EXE and FIREFGHT.EXE) is because of a bug in the program using SetWindowsHookExA with thread id as null

The bug doesn't manifest itself under win98

The thread id value is filled after this call instead of before it

I didn't dig deeper into this, this probably changed after win98
from msdn: "An error may occur if the hMod parameter is NULL and the dwThreadId parameter is zero"

there's also a small cd check in FIREFGHT.EXE, patching this makes the game work

I've uploaded the patched files here, if you need them
http://www.mediafire.com/?omab7605dwwh7ek

ps.

if you want to get this game, you could probably find it on the internet somewhere
if not, send me an email
Posted by at 3 comments

Wednesday, 25 May 2011

eset crackme 2011

Go check out eset's new 2011 crackme
http://2011.confidence.org.pl/

It shares some stuff from their 2010 confidence crackme

I'd rate this 3/10 on a crackmes.de scale

here's an example name/key

simonzack
9f6d5eab-dtdlcdp3asalclsatpt1

will publish a solution here when confidence ends
Posted by at 5 comments

Getting nfs high stakes to work better on win7

Years back, I played this game all the time
After playing some of the much more recent shift 2, and failing to get past the drifting (dont have a steering wheel :( ) thought of playing this again, this time on windows 7

There already exist many good tutorials getting it to work on 7
but there are a few small problems
the patch (v4.50) runs the game using PatchNFS.exe
starting this up always redirects the game to the network play screen, displays an "Unkown error" (network connection failed probably due to server changes in the past 10 years), there are no title movies, and the game needs to mount the iso to play

So I started looking at the exe to see if I could make some changes

the main nfs exe: nfshs.exe, is no longer securom protected in the patch, this makes things much easier

starting up this exe gives us an error message telling what arguments are needed
these are probably passed by the loader PatchNFS.exe

searching for the movie file locations can lead to where the movie's played

I found this here:

mov eax, offset aEatumble_mad ; "EAtumble.mad"
call playMovie
mov eax, offset aNfstitle_mad ; "NFStitle.mad"

here EAtumble refers to the ea logo, NFStitle is the game intro

going into the next call tells us there's a flag thats needed to be unset to allow the movie to play (this also starts up the network play)

after debugging a bit, this flag is set during the arguments parsing

if the game is started using -PatchRestart, the flag is set

looking at the parsing a little more reveals that there must be at least 1 argument set for the game to start

the only other argument is -D3D%d

I tried starting the game using -D3D9
and there it is, the title screen and logo all back, some of the game graphics options open up too

now onto the second problem, removing the need to insert the cd
the cd checks are simple to bypass
but after trying to start the game, we are greeted with some sound files not found message

debugging a bit, the sound files paths are overridden for some file types, located here:
HKLM\Software\Electronic Arts\Need For Speed High Stakes\1.0 SrcDrive

change the path to whatever your installation path is, copy over the sound and movie files, and the game starts perfectly without the need to mount an iso

here's the diffs if you need them
F7324 75 > EB
F737C 75 > EB
104045 74CC > 9090

have fun playing this old classic
Posted by at 0 comments
Subscribe to: Posts (Atom)